Lighttpd

Summary

- lighttpd 1.4.67 (latest)

- Incorrect configuration in the configuration file will cause access to the wrong memory.

- Null dereference

Description

Specifies the option (-f) to read the configuration file when running the lighttpd daemon.
If you pass a file with the wrong contents as an argument here, you will have problems because lighttpd will try to reference the wrong memory.

Undefined config variable: var.HTTP
AddressSanitizer:DEADLYSIGNAL =================================================================
3960396ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55f0019217f8 bp 0x0c360000001d sp 0x7fff06726270 T0)
3960396The signal is caused by a READ memory access.
3960396Hint: address points to the zero page.
#0 0x55f0019217f7 in yy_reduce configparser.y:740
#1 0x55f0019217f7 in configparser configparser.c:1812
#2 0x55f0018fed53 in config_parse /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2142
#3 0x55f0019026ec in config_parse_file_stream /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2216
#4 0x55f00190ba4c in config_read /home/dhjeong/fuzzing/lighttpd-1.4.67/src/configfile.c:2486
#5 0x55f0018cd272 in server_main_setup /home/dhjeong/fuzzing/lighttpd-1.4.67/src/server.c:1116
#6 0x55f0018d7322 in main /home/dhjeong/fuzzing/lighttpd-1.4.67/src/server.c:2082
#7 0x7f99af013082 in __libc_start_main ../csu/libc-start.c:308
#8 0x55f0019611cd in _start (/home/dhjeong/fuzzing/lighttpd-fuzz-only/lighttpd+0xc41cd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV configparser.y:740 in yy_reduce
3960396ABORTING

Proof of Concept(POC)

To reproduce it, you can use the file I attached to test it as follows.
lighttpd -f crash1.conf
lighttpd -f crash2.conf