Bug #2467


lightttpd-1.4.26+a few patches segfaults

Added by dwyart over 8 years ago. Updated over 8 years ago.

Target version:



In a production environment, I am stuck at version 1.4.26. As some fixes seemed quite important to me (notably BEAST one, pushed by our security officer), I got agreement to recompile it (from Ubuntu Lucid) with some changesets applied (r2716, r2806, r2808, r2810, r2815 and r2822). I realize this is not a standard distribution, but I get a segfault (not present in Ubuntu version without patches). The full backtrace is attached. The crash occurs at lige 200 of network_openssl.c, corresponding to the call "r = SSL_write(ssl, s, toSend);". I also noticed during compilation a warning at this very line (also attached), so I am wondering if this is related... But the call is already present (embedded in an "if") in the unpatched version, and it doesn't segfault... As this is not my code I did not start to hack the second argument of the call (cast or &) to see if crash stays (compiler doesn't complain any more), I think it is better to get opinion of the developers.

The crash occurs immediatedly when sending an https request to lighttpd, but only from another hosts (not checked very deeply as several people participated in the debug and I tried to get info from them). A curl from localhost doesn't seem to trigger the crash.

I can try to provide more details if needed (not immediately as the preproduction env is often used by devel teams).

Many thanks in advance for any help. Googling on "ssl3_write_bytes" and "memcpy" did not give relevant results...


backtrace_lighttpd_1.4.26.txt (2.24 KB) backtrace_lighttpd_1.4.26.txt Full backtrace dwyart, 2013-01-09 17:01
compil_lighttpd_1.4.26.txt (789 Bytes) compil_lighttpd_1.4.26.txt Extract from compilation log, refering to line 200 of network_openssl.c dwyart, 2013-01-09 17:01
Actions #1

Updated by dwyart over 8 years ago

Forgot to write that the only patch touching the part of the code leading to segfault is r2808. Did not try without it as it is the main one we want to run on the patched version...

Actions #2

Updated by dwyart over 8 years ago

Ok, sorry the bug can be closed, our version of the r2808 patch had a typo (r = SSL_write(ssl, offset, toSend); insted of r = SSL_write(ssl, s, toSend);)

Sorry for the noise, I should have checked more carefully.

Actions #3

Updated by spaam over 8 years ago

  • Status changed from New to Invalid
Actions #4

Updated by stbuehler over 8 years ago

  • Target version deleted (1.4.x)

Hint: use a distribution which has security support for the software you are using, especially if you are "stuck" with stable releases. regarding lighttpd this means: don't use ubuntu.

Actions #5

Updated by dwyart over 8 years ago

Unfortunately, this is in a huge DC (several 1000s of servers, some of them still on Debian Etch) and I have 0 decision power on this topic... Just an average sysadmin :) The guideline of choosing one reference distro seems reasonable for so many machines, and I guess no "perfect" distro exist.

But of course I am fully aware of the drawbacks of Ubuntu on this front (security updates of not-so-much-used packages --- compared to Apache, for example), and completely agree with you.


Also available in: Atom