Discussion:
httpd crashes with SIGSEGV when using "block return 401"
Jurjen Oskam
2017-05-14 08:05:37 UTC
Permalink
Hi,

httpd crashes with a segmentation violation when servicing requests with
the following (minimal) config file:

server "default" {
listen on * port 80
block return 401
}

It starts up OK, but on the first request this happens:

# httpd -d -v -v
startup
server_privinit: adding server default
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
logger exiting, pid 88769
lost child: pid 18355 terminated; signal 11
server exiting, pid 90619
server exiting, pid 37360
parent terminating, pid 91332


Altering the listening address or port results in the same symptom.
Using other HTTP return codes (I've tried 402, 403, 404 and 405) does
*not* result in a crash; these seem to work as expected.

This happens on OpenBSD 6.0, 6.1 as well as -current.

If I can do anything to diagnose/fix this, please let me know via a
Cc:.

Regards,

Jurjen Oskam
Jonathan Gray
2017-05-14 08:37:55 UTC
Permalink
Post by Jurjen Oskam
Hi,
httpd crashes with a segmentation violation when servicing requests with
server "default" {
listen on * port 80
block return 401
}
# httpd -d -v -v
startup
server_privinit: adding server default
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
logger exiting, pid 88769
lost child: pid 18355 terminated; signal 11
server exiting, pid 90619
server exiting, pid 37360
parent terminating, pid 91332
Altering the listening address or port results in the same symptom.
Using other HTTP return codes (I've tried 402, 403, 404 and 405) does
*not* result in a crash; these seem to work as expected.
This happens on OpenBSD 6.0, 6.1 as well as -current.
If I can do anything to diagnose/fix this, please let me know via a
Cc:.
Regards,
Jurjen Oskam
Thanks for the report. The crash occurs when stravis(3) is passed a
NULL msg value.

Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.116
diff -u -p -r1.116 server_http.c
--- server_http.c 16 Mar 2017 10:18:11 -0000 1.116
+++ server_http.c 14 May 2017 08:33:43 -0000
@@ -887,6 +887,8 @@ server_abort_http(struct client *clt, un
msg = buf;
break;
case 401:
+ if (msg == NULL)
+ break;
if (stravis(&escapedmsg, msg, VIS_DQ) == -1) {
code = 500;
extraheader = NULL;
@@ -898,6 +900,8 @@ server_abort_http(struct client *clt, un
}
break;
case 416:
+ if (msg == NULL)
+ break;
if (asprintf(&extraheader,
"Content-Range: %s\r\n", msg) == -1) {
code = 500;
Florian Obser
2017-05-14 08:47:14 UTC
Permalink
Post by Jonathan Gray
Post by Jurjen Oskam
Hi,
httpd crashes with a segmentation violation when servicing requests with
server "default" {
listen on * port 80
block return 401
}
# httpd -d -v -v
startup
server_privinit: adding server default
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
server_launch: configuring server default
server_launch: running server default
logger exiting, pid 88769
lost child: pid 18355 terminated; signal 11
server exiting, pid 90619
server exiting, pid 37360
parent terminating, pid 91332
Altering the listening address or port results in the same symptom.
Using other HTTP return codes (I've tried 402, 403, 404 and 405) does
*not* result in a crash; these seem to work as expected.
This happens on OpenBSD 6.0, 6.1 as well as -current.
If I can do anything to diagnose/fix this, please let me know via a
Cc:.
Regards,
Jurjen Oskam
Thanks for the report. The crash occurs when stravis(3) is passed a
NULL msg value.
OK florian@

(I was wondering if we should set code = 500 in these cases, but that
would prevent using block return 401 / 416)
Post by Jonathan Gray
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.116
diff -u -p -r1.116 server_http.c
--- server_http.c 16 Mar 2017 10:18:11 -0000 1.116
+++ server_http.c 14 May 2017 08:33:43 -0000
@@ -887,6 +887,8 @@ server_abort_http(struct client *clt, un
msg = buf;
break;
+ if (msg == NULL)
+ break;
if (stravis(&escapedmsg, msg, VIS_DQ) == -1) {
code = 500;
extraheader = NULL;
@@ -898,6 +900,8 @@ server_abort_http(struct client *clt, un
}
break;
+ if (msg == NULL)
+ break;
if (asprintf(&extraheader,
"Content-Range: %s\r\n", msg) == -1) {
code = 500;
--
I'm not entirely sure you are real.
Loading...