Bug #1263

Segmentation fault in mod_scgi

Added by jtate about 12 years ago. Updated about 11 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


I believe this happens when an existing scgi request is in progress when the other side of the scgi socket closes the connection.

Here's the backtrace from gdb

(gdb) bt
#0  0xb7cb5d3b in strlen () from /lib/
#1  0x0805ba75 in buffer_append_string (b=0x806f308, s=0xd <Address 0xd out of bounds>) at buffer.c:171
#2  0x0805cf81 in log_error_write (srv=0x806f008, filename=0xd <Address 0xd out of bounds>, line=13,
    fmt=0xb7ef91c2 "sd") at log.c:192
#3  0xb7ef7a2d in scgi_handle_fdevent (s=0x806f008, ctx=0x80c1fe0, revents=25) at mod_scgi.c:2539
#4  0x0804e52e in main (argc=14, argv=0xbff62744) at server.c:1309

I'll attach the valgrind log.

lighttpd.14669 (22.2 KB) lighttpd.14669 valgrind log jtate, 2007-07-16 19:30 (1.55 KB) Python SCGI server that kills lighttpd jtate, 2007-07-17 17:10
lighttpd.conf.test (1.47 KB) lighttpd.conf.test test configuration jtate, 2007-07-17 17:10

Associated revisions

Revision 8f9f5320 (diff)
Added by jan about 12 years ago

  • fixed crash on 32bit archs when debug-msgs are printed in mod_scgi,
    mod_fastcgi and mod_webdav (#1263)

git-svn-id: svn:// 152afb58-edef-0310-8abb-c4023f1b3aa9



Updated by moo about 12 years ago

i'm not sure, but from your descrption, possible reproduce case is:
  1. write a scgi backend script that sleep(100);
  2. request it from client->lighttpd->scgi-backend
  3. kill the scgi-backend

Updated by darix about 12 years ago

this is really 1.4.15 and not 1.4.12 or older?


Updated by jtate about 12 years ago

Yes, 1.4.15:

lighttpd-1.4.15 (ssl) - a light and fast webserver
Build-Date: Apr 17 2007 23:55:24

Event Handlers:

        + select (generic)
        + poll (Unix)
        + rt-signals (Linux 2.4+)
        + epoll (Linux 2.6)
        - /dev/poll (Solaris)
        - kqueue (FreeBSD)

Network handler:

        + sendfile


        + IPv6 support
        + zlib support
        + bzip2 support
        + crypt support
        + SSL Support
        + PCRE support
        - mySQL support
        - LDAP support
        - memcached support
        - FAM support
        - LUA support
        - xml support
        - SQLite support
        - GDBM support

Updated by jan about 12 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in r1882

This only happens on 32bit apps where sizeof(off_t) != sizeof(int). We use the wrong format specifier.

Also available in: Atom