Lighttpd

Hi,

I would like to report a segfault in lighttpd 1.4.43.

Here is a gdb backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x76b89600 in fcgi_host_assign (srv=0x65008, hctx=0xe0460, host=0x19) at mod_fastcgi.c:413
413 hctx->host->load++;
(gdb) bt
#0 0x76b89600 in fcgi_host_assign (srv=0x65008, hctx=0xe0460, host=0x19) at mod_fastcgi.c:413
#1 0x76b8d64c in fcgi_reconnect (srv=0x65008, hctx=0xe0460) at mod_fastcgi.c:1717
#2 0x76b91398 in fcgi_send_request (srv=0x65008, hctx=0xe0460) at mod_fastcgi.c:2962
#3 0x76b91f20 in fcgi_handle_fdevent (srv=0x65008, ctx=0xe0460, revents=28) at mod_fastcgi.c:3190
#4 0x0001ad7c in main (argc=6, argv=0x7efff524) at server.c:1804

I'm not a lighttpd developer, I've just stepped through the code and saw the following
(wrong) execution path:

fcgi_reconnect() first calls fcgi_extension_host_get();

in fcgi_extension_host_get(), in the for loop, the var. 'ndx' is initialized to -1
and hold the value also after the loop:

...
for (k = 0, ndx = 1; k < extension>used; k++) {
host = extension->hosts[k];
...
}

at the end of the function then it returns 'extension->hosts[ndx]' that is
'extension->hosts[-1]' that is obviously wrong:

...
/* found a server */
extension->last_used_ndx = ndx;
return extension->hosts[ndx];
}

giorgio