Project

General

Profile

Actions

Bug #2822

closed

Segmentation fault on HTTP chunked input

Added by AlxT about 7 years ago. Updated about 7 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

Apss like WhatsApp are sending requests with \r\n after header:

POST /chat HTTP/1.1
Host: c.whatsapp.net
User-Agent: Mozilla/5.0 (compatible; WAChat/1.2; +http://www.whatsapp.com/contact)
Transfer-Encoding: chunked

if mod_fastcgi is enabled then we are getting Segmentation fault.
Bug affected versions >= 1.4.44

Actions #1

Updated by gstrauss about 7 years ago

  • Target version changed from 1.4.x to 1.4.46

Thanks for the report. Are there any more details you can provide? Do you mean that the header looks like the following?

POST /chat HTTP/1.1\r\n
Host: c.whatsapp.net\r\n
User-Agent: Mozilla/5.0 (compatible; WAChat/1.2; +http://www.whatsapp.com/contact)\r\n
Transfer-Encoding: chunked\r\n
\r\n
\r\n

Actions #2

Updated by gstrauss about 7 years ago

Ok. I can get this. An assert() is firing and I'll have to look why later tonight.

Program received signal SIGSEGV, Segmentation fault.
connection_handle_read_post_chunked (dst_cq=0x658600, cq=0x6585b0, 
    con=0x657f90, srv=0x646010) at connections-glue.c:128
128                force_assert(c->type == MEM_CHUNK);

Actions #3

Updated by gstrauss about 7 years ago

This appears to fix it. I'll review some other scenarios later and then will commit a fix.

--- a/src/connections-glue.c
+++ b/src/connections-glue.c
@@ -125,6 +125,7 @@ static handler_t connection_handle_read_post_chunked(server *srv, connection *co
         while (0 == te_chunked) {
             char *p;
             chunk *c = cq->first;
+            if (NULL == c) break;
             force_assert(c->type == MEM_CHUNK);
             p = strchr(c->mem->ptr+c->offset, '\n');
             if (NULL != p) { /* found HTTP chunked header line */
Actions #4

Updated by gstrauss about 7 years ago

  • Subject changed from Segmentation fault. fast_cgi to Segmentation fault on HTTP chunked input
  • Category changed from mod_fastcgi to core
  • Status changed from New to Patch Pending
Actions #5

Updated by gstrauss about 7 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom