Bug #2810
closedMissing array entry type check in config_insert (configfile.c), SIGSEGV
Description
Hello,
opening the attached sample config input file with lighttpd results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.
version:
commit b23065e54778dd187c77f1dd37041fb039f21dde
how to reproduce:
$ ./src/lighttpd -t -f <attached config file>
gdb:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 buffer_is_equal_string (a=0x1, s=0x45c52f "mod_indexfile", b_len=13) at buffer.c:396
396 if (a->used != b_len + 1) return 0;
(gdb) bt
#0 buffer_is_equal_string (a=0x1, s=0x45c52f "mod_indexfile", b_len=13) at buffer.c:396
#1 0x000000000041cccb in config_insert (srv=<optimized out>) at configfile.c:413
#2 config_read (srv=<optimized out>, fn=<optimized out>) at configfile.c:1371
#3 0x000000000040c137 in server_main (argc=<optimized out>, argv=<optimized out>, srv=<optimized out>)
at server.c:883
#4 main (argc=4, argv=0x7ffc9bb29da8) at server.c:1851
24102 Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
24102 Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
24102 Command: ./src/lighttpd -t -f /tmp/crash
24102
2017-05-06 10:31:16: (configfile.c.393) unexpected value for server.modules; expected list of "mod_xxxxxx" strings
24102 Invalid read of size 8
24102 at 0x42C28B: buffer_is_equal_string (buffer.c:396)
24102 by 0x41CCCA: config_insert (configfile.c:413)
24102 by 0x41CCCA: config_read (configfile.c:1371)
24102 by 0x40C136: server_main (server.c:883)
24102 by 0x40C136: main (server.c:1851)
24102 Address 0x9 is not stack'd, malloc'd or (recently) free'd
24102
24102
24102 Process terminating with default action of signal 11 (SIGSEGV): dumping core
24102 Access not within mapped region at address 0x9
24102 at 0x42C28B: buffer_is_equal_string (buffer.c:396)
24102 by 0x41CCCA: config_insert (configfile.c:413)
24102 by 0x41CCCA: config_read (configfile.c:1371)
24102 by 0x40C136: server_main (server.c:883)
24102 by 0x40C136: main (server.c:1851)
24102 If you believe this happened as a result of a stack
24102 overflow in your program's main thread (unlikely but
24102 possible), you can try to increase the size of the
24102 main thread stack using the --main-stacksize= flag.
24102 The main thread stack size used in this run was 8388608.
24102
24102 HEAP SUMMARY:
24102 in use at exit: 6,872 bytes in 102 blocks
24102 total heap usage: 156 allocs, 54 frees, 16,900 bytes allocated
24102
24102 LEAK SUMMARY:
24102 definitely lost: 0 bytes in 0 blocks
24102 indirectly lost: 0 bytes in 0 blocks
24102 possibly lost: 0 bytes in 0 blocks
24102 still reachable: 6,872 bytes in 102 blocks
24102 suppressed: 0 bytes in 0 blocks
24102 Rerun with --leak-check=full to see details of leaked memory
24102
24102 For counts of detected and suppressed errors, rerun with: -v
24102 ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 24102 segmentation fault valgrind ./src/lighttpd -t -f /tmp/crash
Cheers,
Stephan Zeisberg
Files
Updated by stbuehler over 7 years ago
- Subject changed from Memory corruption in buffer_is_equal_string (buffer.c), SIGSEGV to Missing array entry type check in config_insert (configfile.c), SIGSEGV
Minified reproducer:
server.modules = ( 1 )
config_insert
does check the type of the server.modules
entries, but doesn't abort immediately. It probably should check the type again in line 411 (ds = (data_string *)srv->srvconf.modules->data[i];
), or abort before.
Updated by gstrauss over 7 years ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.46
--- a/src/configfile.c +++ b/src/configfile.c @@ -393,9 +393,7 @@ static int config_insert(server *srv) { log_error_write(srv, __FILE__, __LINE__, "s", "unexpected value for server.modules; expected list of \"mod_xxxxxx\" strings"); ret = HANDLER_ERROR; - } - - { + } else { data_string *ds; int prepend_mod_indexfile = 1; int append_mod_dirlisting = 1;
Updated by gstrauss over 7 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset dfc1603c4b4c563c013ea36d0a284648729301d4.
Also available in: Atom