Project

General

Profile

Bug #2822

Segmentation fault on HTTP chunked input

Added by AlxT about 2 years ago. Updated about 2 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
2017-09-25
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

Apss like WhatsApp are sending requests with \r\n after header:

POST /chat HTTP/1.1
Host: c.whatsapp.net
User-Agent: Mozilla/5.0 (compatible; WAChat/1.2; +http://www.whatsapp.com/contact)
Transfer-Encoding: chunked

if mod_fastcgi is enabled then we are getting Segmentation fault.
Bug affected versions >= 1.4.44

Associated revisions

Revision a156fdbc (diff)
Added by gstrauss about 2 years ago

[core] fix triggered assert on HTTP chunked input (fixes #2822)

(thx AlxT)

x-ref:
"Segmentation fault on HTTP chunked input"
https://redmine.lighttpd.net/issues/2822

History

#1

Updated by gstrauss about 2 years ago

  • Target version changed from 1.4.x to 1.4.46

Thanks for the report. Are there any more details you can provide? Do you mean that the header looks like the following?

POST /chat HTTP/1.1\r\n
Host: c.whatsapp.net\r\n
User-Agent: Mozilla/5.0 (compatible; WAChat/1.2; +http://www.whatsapp.com/contact)\r\n
Transfer-Encoding: chunked\r\n
\r\n
\r\n

#2

Updated by gstrauss about 2 years ago

Ok. I can get this. An assert() is firing and I'll have to look why later tonight.

Program received signal SIGSEGV, Segmentation fault.
connection_handle_read_post_chunked (dst_cq=0x658600, cq=0x6585b0, 
    con=0x657f90, srv=0x646010) at connections-glue.c:128
128                force_assert(c->type == MEM_CHUNK);

#3

Updated by gstrauss about 2 years ago

This appears to fix it. I'll review some other scenarios later and then will commit a fix.

--- a/src/connections-glue.c
+++ b/src/connections-glue.c
@@ -125,6 +125,7 @@ static handler_t connection_handle_read_post_chunked(server *srv, connection *co
         while (0 == te_chunked) {
             char *p;
             chunk *c = cq->first;
+            if (NULL == c) break;
             force_assert(c->type == MEM_CHUNK);
             p = strchr(c->mem->ptr+c->offset, '\n');
             if (NULL != p) { /* found HTTP chunked header line */
#4

Updated by gstrauss about 2 years ago

  • Subject changed from Segmentation fault. fast_cgi to Segmentation fault on HTTP chunked input
  • Category changed from mod_fastcgi to core
  • Status changed from New to Patch Pending
#5

Updated by gstrauss about 2 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom