Lighttpd

Hello,

opening the attached sample config input file with lighttpd results in a
crash (SIGSEGV). The input file is fuzzed with american fuzzy
lop http://lcamtuf.coredump.cx/afl/.

version:
commit b23065e54778dd187c77f1dd37041fb039f21dde

how to reproduce:

$ ./src/lighttpd -t -f <attached config file>

gdb:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 buffer_is_equal_string (a=0x1, s=0x45c52f "mod_indexfile", b_len=13) at buffer.c:396
396 if (a->used != b_len + 1) return 0;
(gdb) bt
#0 buffer_is_equal_string (a=0x1, s=0x45c52f "mod_indexfile", b_len=13) at buffer.c:396
#1 0x000000000041cccb in config_insert (srv=<optimized out>) at configfile.c:413
#2 config_read (srv=<optimized out>, fn=<optimized out>) at configfile.c:1371
#3 0x000000000040c137 in server_main (argc=<optimized out>, argv=<optimized out>, srv=<optimized out>)
at server.c:883
#4 main (argc=4, argv=0x7ffc9bb29da8) at server.c:1851

24102 Memcheck, a memory error detector
24102 Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
24102 Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
24102 Command: ./src/lighttpd -t -f /tmp/crash
24102
2017-05-06 10:31:16: (configfile.c.393) unexpected value for server.modules; expected list of "mod_xxxxxx" strings
24102 Invalid read of size 8
24102 at 0x42C28B: buffer_is_equal_string (buffer.c:396)
24102 by 0x41CCCA: config_insert (configfile.c:413)
24102 by 0x41CCCA: config_read (configfile.c:1371)
24102 by 0x40C136: server_main (server.c:883)
24102 by 0x40C136: main (server.c:1851)
24102 Address 0x9 is not stack'd, malloc'd or (recently) free'd
24102
24102
24102 Process terminating with default action of signal 11 (SIGSEGV): dumping core
24102 Access not within mapped region at address 0x9
24102 at 0x42C28B: buffer_is_equal_string (buffer.c:396)
24102 by 0x41CCCA: config_insert (configfile.c:413)
24102 by 0x41CCCA: config_read (configfile.c:1371)
24102 by 0x40C136: server_main (server.c:883)
24102 by 0x40C136: main (server.c:1851)
24102 If you believe this happened as a result of a stack
24102 overflow in your program's main thread (unlikely but
24102 possible), you can try to increase the size of the
24102 main thread stack using the --main-stacksize= flag.
24102 The main thread stack size used in this run was 8388608.
24102
24102 HEAP SUMMARY:
24102 in use at exit: 6,872 bytes in 102 blocks
24102 total heap usage: 156 allocs, 54 frees, 16,900 bytes allocated
24102
24102 LEAK SUMMARY:
24102 definitely lost: 0 bytes in 0 blocks
24102 indirectly lost: 0 bytes in 0 blocks
24102 possibly lost: 0 bytes in 0 blocks
24102 still reachable: 6,872 bytes in 102 blocks
24102 suppressed: 0 bytes in 0 blocks
24102 Rerun with --leak-check=full to see details of leaked memory
24102
24102 For counts of detected and suppressed errors, rerun with: -v
24102 ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1] 24102 segmentation fault valgrind ./src/lighttpd -t -f /tmp/crash

Cheers,
Stephan Zeisberg