[Bug 64598] New: mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64598] New: mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

            Bug ID: 64598
           Summary: mod_http2 and mod_proxy_uwsgi: segfault in
                    uwsgi_send_headers()
           Product: Apache httpd-2
           Version: 2.4.43
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_http2
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Original bug report including backtrace:
https://bugzilla.suse.com/show_bug.cgi?id=1174052

The easiest way to reproduce:

$ git clone https://github.com/pgajdos/apache-rex.git
$ cd apache-rex
$ HTTPD_MPM=worker ./run-rex mod_proxy_uwsgi-http2
[..]
$ cat /tmp/apache-rex/mod_proxy_uwsgi-http2/error_log
[Tue Jul 14 10:18:32.584670 2020] [mpm_worker:notice] [pid 670:tid
140293301127168] AH00292: Apache/2.4.43 (Linux/SUSE) OpenSSL/1.1.1g configured
-- resuming normal operations
[Tue Jul 14 10:18:32.584841 2020] [core:notice] [pid 670:tid 140293301127168]
AH00094: Command line: 'httpd -f
/tmp/apache-rex/mod_proxy_uwsgi-http2/httpd.conf'
[Tue Jul 14 10:18:37.395546 2020] [core:notice] [pid 670:tid 140293301127168]
AH00051: child pid 674 exit signal Segmentation fault (11), possible coredump
in /srv/www
[Tue Jul 14 10:18:37.412147 2020] [mpm_worker:notice] [pid 670:tid
140293301127168] AH00295: caught SIGTERM, shutting down
$

I can work out testcase which does not need apache-rex framework if you wish
and of course help other way.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #1 from Petr Gajdos <[hidden email]> ---
(gdb) frame 1
#1  0x00007ffff4838e4f in uwsgi_send_headers (r=0x55555599ac20,
conn=0x55555599ec40) at mod_proxy_uwsgi.c:178
178             headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
(gdb) p env[j]
$6 = {key = 0x7ffff59d78d8 "H2_STREAM_ID", val = 0x0, key_checksum =
1209163603}
(gdb)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #2 from Ruediger Pluem <[hidden email]> ---
Does the below patch fix your issue?

Index: modules/proxy/mod_proxy_uwsgi.c
===================================================================
--- modules/proxy/mod_proxy_uwsgi.c     (revision 1879840)
+++ modules/proxy/mod_proxy_uwsgi.c     (working copy)
@@ -175,7 +175,7 @@
     env = (apr_table_entry_t *) env_table->elts;

     for (j = 0; j < env_table->nelts; ++j) {
-        headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
+        headerlen += 2 + strlen(env[j].key) + 2 + env[j].val ?
strlen(env[j].val) : 0;
     }

     ptr = buf = apr_palloc(r->pool, headerlen);
@@ -189,10 +189,12 @@
         memcpy(ptr, env[j].key, keylen);
         ptr += keylen;

-        vallen = strlen(env[j].val);
+        vallen = env[j].val ? strlen(env[j].val) : 0;
         *ptr++ = (apr_byte_t) (vallen & 0xff);
         *ptr++ = (apr_byte_t) ((vallen >> 8) & 0xff);
-        memcpy(ptr, env[j].val, vallen);
+        if (env[j].val) {
+            memcpy(ptr, env[j].val, vallen);
+        }
         ptr += vallen;
     }

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #3 from Petr Gajdos <[hidden email]> ---
http://mail-archives.apache.org/mod_mbox/httpd-dev/202004.mbox/%3CD7404045-5A90-4547-8445-4A87758C100A@...%3E

This looks similar.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #4 from Petr Gajdos <[hidden email]> ---
(In reply to Ruediger Pluem from comment #2)

> Does the below patch fix your issue?
>
> Index: modules/proxy/mod_proxy_uwsgi.c
> ===================================================================
> --- modules/proxy/mod_proxy_uwsgi.c (revision 1879840)
> +++ modules/proxy/mod_proxy_uwsgi.c (working copy)
> @@ -175,7 +175,7 @@
>      env = (apr_table_entry_t *) env_table->elts;
>  
>      for (j = 0; j < env_table->nelts; ++j) {
> -        headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
> +        headerlen += 2 + strlen(env[j].key) + 2 + env[j].val ?
> strlen(env[j].val) : 0;
>      }
>  
>      ptr = buf = apr_palloc(r->pool, headerlen);
> @@ -189,10 +189,12 @@
>          memcpy(ptr, env[j].key, keylen);
>          ptr += keylen;
>  
> -        vallen = strlen(env[j].val);
> +        vallen = env[j].val ? strlen(env[j].val) : 0;
>          *ptr++ = (apr_byte_t) (vallen & 0xff);
>          *ptr++ = (apr_byte_t) ((vallen >> 8) & 0xff);
> -        memcpy(ptr, env[j].val, vallen);
> +        if (env[j].val) {
> +            memcpy(ptr, env[j].val, vallen);
> +        }
>          ptr += vallen;
>      }

Will check ..

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #5 from Petr Gajdos <[hidden email]> ---
You probably wanted
 headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val) :
0;
right?

Now it does not crash, yes. I will ask original reporter for testing.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #6 from Petr Gajdos <[hidden email]> ---
(In reply to Petr Gajdos from comment #5)
> You probably wanted
>  headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val)
> : 0;

Eh,
headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val  :
0);
of course.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #7 from Petr Gajdos <[hidden email]> ---
Heh, I actually mean
headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val) :
0);

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #8 from Ruediger Pluem <[hidden email]> ---
(In reply to Petr Gajdos from comment #7)
> Heh, I actually mean
> headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val) :
> 0);

That's what I meant :-)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

--- Comment #9 from Petr Gajdos <[hidden email]> ---
The reporter says everything works.

Thanks Ruediger for very very fast response!

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in uwsgi_send_headers()

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598

Ruediger Pluem <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk,
                   |                            |PatchAvailable

--- Comment #10 from Ruediger Pluem <[hidden email]> ---
Committed to trunk as r1879878.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]