Actions
Bug #2945
closedSecurity - SIGABRT during GET request handling with url-path-2f-decode enabled
ASK QUESTIONS IN Forums:
Description
Dear lighttpd team —
I have detected a SIGABRT during handling a malicious GET request with option url-path-2f-decode from server.http-parseopts enabled.
Version: lighttpd-1.4.53
How to reproduce:
$ ./configure --prefix=/tmp/lighttpd
$ mkdir -p /tmp/lighttpd/lib/
$ make
$ cp src/.libs/* /tmp/lighttpd/lib/
$ ./src/lighttpd -f <attached lighttpd.conf> -D
The server is started on localhost:8090
$ nc 127.0.0.1 8090 < crash.light
Aborted (core dumped)
Stacktrace:
STACK: <0x00007ffff7baf895> [[UNKNOWN]():0 at /usr/lib64/libc-2.28.so] <0x0000000000567f32> [log_failed_assert():1027 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x0000000000568957> [buffer_realloc():83 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x000000000056856b> [buffer_string_prepare_copy():102 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x0000000000568daf> [buffer_copy_string_len():166 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x000000000056f3f8> [burl_normalize_path():300 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x000000000056dd5a> [burl_normalize():349 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x000000000053e1b4> [http_response_prepare():342 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x0000000000544bb2> [connection_state_machine():1157 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x000000000054e550> [network_server_handle_fdevent():64 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x00000000005370d5> [server_main():2031 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x0000000000530c63> [HonggfuzzNetDriver_main():2102 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x00000000005d4407> [netDriver_mainProgram():0 at /home/stze/Downloads/lighttpd-1.4.53/src/lighttpd] <0x00007ffff7f0c58e> [[UNKNOWN]():0 at /usr/lib64/libpthread-2.28.so] <0x00007ffff7c8a683> [[UNKNOWN]():0 at /usr/lib64/libc-2.28.so] =====================================================================
gdb:
(gdb) bt #0 0x00007f0f2220e57f in raise () from /lib64/libc.so.6 #1 0x00007f0f221f8895 in abort () from /lib64/libc.so.6 #2 0x0000000000416d81 in log_failed_assert (filename=<optimized out>, line=<optimized out>, msg=<optimized out>) at buffer.c:1027 #3 0x00000000004171e5 in buffer_realloc (b=<optimized out>, len=0) at buffer.c:81 #4 0x0000000000417346 in buffer_string_prepare_copy (b=<optimized out>, size=<optimized out>) at buffer.c:102 #5 buffer_copy_string_len (b=0x1deb920, s=0x1e2c701 "601", s_len=18446744073709551613) at buffer.c:164 #6 0x000000000040cbaf in http_response_prepare (srv=0x1dd9260, con=0x1deb4e0) at response.c:387 #7 0x000000000040e541 in connection_state_machine (srv=0x1dd9260, con=0x1deb4e0) at connections.c:1157 #8 0x000000000040b905 in server_main (srv=0x1dd9260, argc=<optimized out>, argv=<optimized out>) at server.c:2044 #9 0x0000000000408ed9 in main (argc=4, argv=0x7fffa2c75b38) at server.c:2102
Please let me know what additional information I can provide to successfully reproduce the issue.
Cheers
-Stephan ZeisbergFiles
Added by gstrauss about 6 years ago
Actions
Also available in: Atom
[core] fix abort in http-parseopts (fixes #2945)
fix abort in server.http-parseopts with url-path-2f-decode enabled
(thx stze)
x-ref:
"Security - SIGABRT during GET request handling with url-path-2f-decode enabled"
https://redmine.lighttpd.net/issues/2945