Bug #2984
closedSegmentation fault in mod_extforward with libmusl
Description
Version: 1.4.54.
Steps to reproduce:- Configure mod_extforward to trust all hosts:
extforward.headers = ("X-Forwarded-For", "X-Forwarded-Proto") extforward.forwarder = ("all" => "trust")
- Send the following HTTP request
GET / HTTP/1.1 Host: 127.0.0.1 X-Forwarded-For: b:2
Expected result: server will continue work.
Actual result: segmentation fault. Server does not continue serving requests after the crash.
Additional info: libmusl
is used unstead of GLIBC.
Updated by rei-de-barulho about 5 years ago
The issue cannot be reproduced on GLIBC-based systems.
Updated by gstrauss about 5 years ago
What architecture are you on? x86? x86_64? ARM 32-bit? ARM 64-bit? other?
Have you, by chance, tested this on any other architectures?
Do you have a stack trace?
If not, would you please set debug.log-request-handling = "enable"
in your lighttpd.conf and share what is in the log immediately prior to the crash?
Updated by byrn about 5 years ago
I tested this issue on a fresh Alpine Linux x86_64 VM with lighttpd/1.4.54 (ssl). Here is the result of the error.log
with log-request-handling
enabled :
2019-09-26 18:33:58: (server.c.1521) server started (lighttpd/1.4.54)
2019-09-26 18:34:05: (response.c.435) -- splitting Request-URI
2019-09-26 18:34:05: (response.c.436) Request-URI : /
2019-09-26 18:34:05: (response.c.437) URI-scheme : http
2019-09-26 18:34:05: (response.c.438) URI-authority : 127.0.0.1
2019-09-26 18:34:05: (response.c.439) URI-path (raw) : /
2019-09-26 18:34:05: (response.c.440) URI-path (clean): /
2019-09-26 18:34:05: (response.c.441) URI-query :
2019-09-26 18:34:05: (mod_extforward.c.1014) -- mod_extforward_uri_handler called
2019-09-26 18:34:05: (mod_extforward.c.514) using address: b:2
2019-09-26 18:34:05: (sock_addr.c.595) could not parse ip address b:2 because Name does not resolve (Invalid argument)
Updated by rei-de-barulho about 5 years ago
I start lighttpd on x84_64.
Stack trace:
#0 0x00007ffff7fa34fb in freeaddrinfo (p=0x0) at src/network/freeaddrinfo.c:10 #1 0x000055555558327e in sock_addr_from_str_numeric (srv=srv@entry=0x7ffff7c88ca0, saddr=saddr@entry=0x7fffffffe908, str=str@entry=0x5555556502e0 "b:2") at sock_addr.c:620 #2 0x00007ffff7c4503e in mod_extforward_set_addr (srv=srv@entry=0x7ffff7c88ca0, con=con@entry=0x5555555cd4a0, addr=addr@entry=0x5555556502e0 "b:2", p=<optimized out>) at mod_extforward.c:518 #3 0x00007ffff7c466f2 in mod_extforward_X_Forwarded_For (x_forwarded_for=<optimized out>, p=0x5555555b8400, con=0x5555555cd4a0, srv=0x7ffff7c88ca0) at mod_extforward.c:597 #4 mod_extforward_uri_handler (srv=0x7ffff7c88ca0, con=0x5555555cd4a0, p_d=0x5555555b8400) at mod_extforward.c:1068 #5 0x0000555555579b35 in plugins_call_handle_uri_raw (srv=srv@entry=0x7ffff7c88ca0, con=con@entry=0x5555555cd4a0) at plugin.c:314 #6 0x000055555556a1e2 in http_response_prepare (srv=srv@entry=0x7ffff7c88ca0, con=con@entry=0x5555555cd4a0) at response.c:469 #7 0x000055555556bf0d in connection_handle_request (con=0x5555555cd4a0, srv=0x7ffff7c88ca0) at connections.c:1272 #8 connection_state_machine (srv=srv@entry=0x7ffff7c88ca0, con=0x5555555cd4a0) at connections.c:1272 #9 0x000055555556cb7a in network_server_handle_fdevent (srv=0x7ffff7c88ca0, context=0x5555555b8740, revents=<optimized out>) at network.c:65 #10 0x000055555557c758 in fdevent_linux_sysepoll_poll (ev=0x5555555c7be0, timeout_ms=<optimized out>) at fdevent_linux_sysepoll.c:44 #11 0x0000555555573099 in fdevent_poll (ev=0x5555555c7be0, timeout_ms=<optimized out>) at fdevent.c:397 #12 0x00005555555691d6 in server_main_loop (srv=0x7ffff7c88ca0) at server.c:2040 #13 0x0000555555560e4d in main (argc=4, argv=0x7fffffffec68) at server.c:2081
Updated by rei-de-barulho about 5 years ago
I think there is a problem in libmusl
. Its freeaddrinfo()
function does not have a nullptr-check: https://git.musl-libc.org/cgit/musl/tree/src/network/freeaddrinfo.c.
Updated by gstrauss about 5 years ago
It does sound like a problem with freeaddrinfo(). This (untested) patch might help you work around it in lighttpd:
--- a/src/sock_addr.c +++ b/src/sock_addr.c @@ -594,11 +594,12 @@ int sock_addr_from_str_numeric(server *srv, sock_addr *saddr, const char *str) log_error_write(srv, __FILE__, __LINE__, "SSSs(S)", "could not parse ip address ", str, " because ", gai_strerror(result), strerror(errno)); + return result; } else if (addrlist == NULL) { log_error_write(srv, __FILE__, __LINE__, "SSS", "Problem in parsing ip address ", str, ": succeeded, but no information returned"); - result = -1; + return -1; } else switch (addrlist->ai_family) { case AF_INET: memcpy(&saddr->ipv4, addrlist->ai_addr, sizeof(saddr->ipv4));
Updated by gstrauss about 5 years ago
- Subject changed from Segmentation fault in mod_extforward to Segmentation fault in mod_extforward with libmusl
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.55
Updated by gstrauss almost 5 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 851728c6a13ed38a2c333daf62f8d6e649e11004.
Also available in: Atom