Actions
Bug #3262
closedIndex -1 Out of Bounds Error in http_header_hkey_get Function in Lighttpd
ASK QUESTIONS IN Forums:
No
Description
When processing malformed HTTP headers, Lighttpd crashes due to an index out-of-bounds error in the http_header_hkey_get function (http_header.c:103). This error occurs during the parsing of request headers and results in the server attempting to access an invalid array index, leading to a crash.
The problem can be reproduced by following these steps:
1. Build
git clone https://git.lighttpd.net/lighttpd/lighttpd1.4.git lighttpd1
cd lighttpd1
./autogen.sh && \
CFLAGS="-fsanitize=undefined -g" CXXFLAGS="-fsanitize=undefined -g" ./configure --enable-static --disable-shared && \
CFLAGS="-fsanitize=undefined -g" CXXFLAGS="-fsanitize=undefined" make clean all
2. Start server
/src/lighttpd -D -f lighttpd.conf -m ./src/.libs@
lighttpd.conf:
@server.document-root = "/tmp"
server.bind = "127.0.0.1"
server.port = 80
mimetype.assign = (".txt" => "text/plain", ".html" => "text/html" )@
3.Hack, PoC:
echo "474554202f686920485454502f312e310d0a4163636570743a202a2f2a0d0a303030303030306563616c686f73743a383038650d0a486f7300040068656c6c6f2e616563616c686f73743a443038650d0a486f7300040068656c6c6f2e7478743a3830380f0d0a5573206370702d687474706c6962682e302e2f302e31372e410d0a0d0a44454c455445202f88656c6c6f2e74787420485454502f312e310d0a486f73743a203132372e302e302e313a163038300d0a557365722d4167656e743a206368656c6c6f2e74787475726c2f382e2a2e310d0a3d63636570743a202a2f2a0d0a0d0a4440000000302e2f302e31372e410d0a0d0a00204e682e302e302e31ba0000b4b468656c6c6f2e7478749e632f090d0a0d8044454c45374165000080003a332a2f2a2f2a0d0a0d0a474554202f686920485454502f312e310d0a4163636570743a202a2f2a0d0a303030303030306563616c686f73743a383038650d0a486f7300040068656c6c6f1a6e6563616c686f73743a383038650d0a486f7300040068806c6c6f2e7478743a3837380f0d0a557320637c702d687474706c6962682e302e2f302e31372e410d0a0d0a44454c455445202f68656c6c6f2e74787420485454502f312e310d0a2c6f73743a203132372e302e302e313a163038300d0a557365722d4167656e743a206368656c6c6f2e74787475726c2f382e302e311a0a3d63636570743a202a2f2a0d0a0d17444000000000204e682e302e302e31ba00009bb4b4b4b48011ffffb4b49e632f010d0a0d8044454c45374165000080003a332a2f2a2f2a0d0a0d0a474554202f686920484054502f312e310d0a4163636570743a202a2f2a0d0a4302006e656c6f73658000336f73743a206c6f63616c300d0a557365722d416374696f6b3a6e743a206370702d687474706c69622f302e372e300d0a0d0a" | xxd -r -p | nc 127.0.0.1 80
The corresponding packets are:
GET /hi HTTP/1.1 Accept: */* 0000000ecalhost:808e Hoshello.aecalhost:D08e Hoshello.txt:808 Us cpp-httplibh.0./0.17.A DELETE /�ello.txt HTTP/1.1 Host: 127.0.0.1:080 User-Agent: chello.txturl/8.*.1 =ccept: */* D@0./0.17.A Nh.0.0.1���hello.txt�c/ �DELE7Ae�:3*/*/* GET /hi HTTP/1.1 Accept: */* 0000000ecalhost:808e Hoshellonecalhost:808e Hosh�llo.txt:878 Us c|p-httplibh.0./0.17.A DELETE /hello.txt HTTP/1.1 ,ost: 127.0.0.1:080 User-Agent: chello.txturl/8.0.1 =ccept: */* D@ Nh.0.0.1������������c/ �DELE7Ae�:3*/*/* GET /hi H@TP/1.1 Accept: */* Cnelose�3ost: local0 User-Actiok:nt: cpp-httplib/0.7.0
4.Then server crashes, details:
2024-09-02 08:31:43: (server.c.1948) server started (lighttpd/1.4.77-devel-lighttpd-1.4.76-36-g3bc0bc2f)
http_header.c:103:64: runtime error: index -1 out of bounds for type 'const keyvlenvalue [60]'
#0 0x67b660 in http_header_hkey_get lighttpd1/src/http_header.c:103:64
#1 0x81213b in http_request_parse_headers lighttpd1/src/request.c:1130:39
#2 0x81213b in http_request_parse_hoff lighttpd1/src/request.c:1290:14
#3 0x810213 in http_request_headers_process lighttpd1/src/request.c:1326:22
#4 0x524af3 in h1_recv_headers lighttpd1/src/h1.c:499:5
#5 0x50fdaa in connection_state_machine_loop lighttpd1/src/connections.c:639:9
#6 0x50abef in connection_state_machine lighttpd1/src/connections.c:824:9
#7 0x4df06d in server_run_con_queue lighttpd1/src/server.c:2187:9
#8 0x4df06d in server_main_loop lighttpd1/src/server.c:2243:3
#9 0x4cc8ab in main lighttpd1/src/server.c:2347:13
#10 0x7f9a8602e082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x42488d in _start (lighttpd1/src/lighttpd+0x42488d)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior http_header.c:103:64 in
Aborted
Updated by gstrauss 4 months ago
- Status changed from New to Invalid
- Target version deleted (
1.4.77)
The code in http_header.c starting at line 103 does not dereference the pointer until after the condition check on the following line.
const struct keyvlenvalue * restrict kv = http_headers + i;
if (__builtin_expect( (i != -1), 1)) {
This smells more like a compiler bug, perhaps in issuing prefetch instructions. What compiler are you using and what version of that compiler? Have you looked at the assembly generated by the compiler for http_header_hkey_get() ?
Updated by senorita 4 months ago · Edited
I used clang 10. The assembly generated by the compiler for http_header_hkey_get() is as follows.
$ objdump -d --disassemble=http_header_hkey_get lighttpd lighttpd: file format elf64-x86-64 Disassembly of section .init: Disassembly of section .plt: Disassembly of section .plt.got: Disassembly of section .text: 000000000067ae40 <http_header_hkey_get>: 67ae40: 55 push %rbp 67ae41: 41 57 push %r15 67ae43: 41 56 push %r14 67ae45: 41 55 push %r13 67ae47: 41 54 push %r12 67ae49: 53 push %rbx 67ae4a: 48 83 ec 18 sub $0x18,%rsp 67ae4e: 4c 8b 2d 8b d1 22 00 mov 0x22d18b(%rip),%r13 # 8a7fe0 <__afl_prev_loc@@Base+0x8a7f64> 67ae55: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67ae5a: 48 8b 0d 6f 48 2f 00 mov 0x2f486f(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67ae61: 48 35 f6 94 00 00 xor $0x94f6,%rax 67ae67: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67ae6b: 49 89 f7 mov %rsi,%r15 67ae6e: 64 41 c7 45 00 7b 4a movl $0x4a7b,%fs:0x0(%r13) 67ae75: 00 00 67ae77: 48 83 fe 1b cmp $0x1b,%rsi 67ae7b: 0f 87 13 06 00 00 ja 67b494 <http_header_hkey_get+0x654> 67ae81: 48 89 fe mov %rdi,%rsi 67ae84: 48 8b 05 45 48 2f 00 mov 0x2f4845(%rip),%rax # 96f6d0 <__afl_area_ptr> 67ae8b: 80 80 b0 a3 00 00 01 addb $0x1,0xa3b0(%rax) 67ae92: 64 41 c7 45 00 e5 74 movl $0x74e5,%fs:0x0(%r13) 67ae99: 00 00 67ae9b: 48 8b 05 2e 48 2f 00 mov 0x2f482e(%rip),%rax # 96f6d0 <__afl_area_ptr> 67aea2: 80 80 58 f7 00 00 01 addb $0x1,0xf758(%rax) 67aea9: 64 41 c7 45 00 de 41 movl $0x41de,%fs:0x0(%r13) 67aeb0: 00 00 67aeb2: bb e0 31 86 00 mov $0x8631e0,%ebx 67aeb7: 4c 01 fb add %r15,%rbx 67aeba: 0f 82 d4 06 00 00 jb 67b594 <http_header_hkey_get+0x754> 67aec0: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67aec5: 48 8b 0d 04 48 2f 00 mov 0x2f4804(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67aecc: 48 35 2c 5a 00 00 xor $0x5a2c,%rax 67aed2: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67aed6: 64 41 c7 45 00 16 2d movl $0x2d16,%fs:0x0(%r13) 67aedd: 00 00 67aedf: 48 8b 05 ea 47 2f 00 mov 0x2f47ea(%rip),%rax # 96f6d0 <__afl_area_ptr> 67aee6: 80 80 e2 40 00 00 01 addb $0x1,0x40e2(%rax) 67aeed: 64 41 c7 45 00 fa 36 movl $0x36fa,%fs:0x0(%r13) 67aef4: 00 00 67aef6: 48 89 d8 mov %rbx,%rax 67aef9: 48 c1 e8 03 shr $0x3,%rax 67aefd: 8a 80 00 80 ff 7f mov 0x7fff8000(%rax),%al 67af03: 84 c0 test %al,%al 67af05: 0f 85 5f 06 00 00 jne 67b56a <http_header_hkey_get+0x72a> 67af0b: 48 85 f6 test %rsi,%rsi 67af0e: 0f 84 b4 06 00 00 je 67b5c8 <http_header_hkey_get+0x788> 67af14: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67af19: 48 8b 0d b0 47 2f 00 mov 0x2f47b0(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67af20: 48 35 8f f3 00 00 xor $0xf38f,%rax 67af26: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67af2a: 64 41 c7 45 00 c7 79 movl $0x79c7,%fs:0x0(%r13) 67af31: 00 00 67af33: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67af38: 48 8b 0d 91 47 2f 00 mov 0x2f4791(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67af3f: 48 35 ab 70 00 00 xor $0x70ab,%rax 67af45: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67af49: 64 41 c7 45 00 55 38 movl $0x3855,%fs:0x0(%r13) 67af50: 00 00 67af52: 48 89 f0 mov %rsi,%rax 67af55: 48 c1 e8 03 shr $0x3,%rax 67af59: 8a 80 00 80 ff 7f mov 0x7fff8000(%rax),%al 67af5f: 84 c0 test %al,%al 67af61: 0f 85 18 06 00 00 jne 67b57f <http_header_hkey_get+0x73f> 67af67: 48 0f be 1b movsbq (%rbx),%rbx 67af6b: 44 8a 36 mov (%rsi),%r14b 67af6e: b8 fc f7 cb 0a mov $0xacbf7fc,%eax 67af73: bd fc f7 cb 0a mov $0xacbf7fc,%ebp 67af78: 44 89 f9 mov %r15d,%ecx 67af7b: 48 d3 ed shr %cl,%rbp 67af7e: 4c 0f a3 f8 bt %r15,%rax 67af82: 0f 83 b2 06 00 00 jae 67b63a <http_header_hkey_get+0x7fa> 67af88: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67af8d: 48 8b 0d 3c 47 2f 00 mov 0x2f473c(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67af94: 48 35 a7 cd 00 00 xor $0xcda7,%rax 67af9a: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67af9e: b9 40 32 86 00 mov $0x863240,%ecx 67afa3: 48 c1 e3 05 shl $0x5,%rbx 67afa7: 31 d2 xor %edx,%edx 67afa9: 48 01 cb add %rcx,%rbx 67afac: 0f 92 c2 setb %dl 67afaf: 31 c0 xor %eax,%eax 67afb1: 48 39 cb cmp %rcx,%rbx 67afb4: 0f 93 c0 setae %al 67afb7: 40 f6 c5 01 test $0x1,%bpl 67afbb: 64 41 c7 45 00 d3 66 movl $0x66d3,%fs:0x0(%r13) 67afc2: 00 00 67afc4: 0f 44 c2 cmove %edx,%eax 67afc7: 48 85 db test %rbx,%rbx 67afca: 0f 84 99 06 00 00 je 67b669 <http_header_hkey_get+0x829> 67afd0: 84 c0 test %al,%al 67afd2: 0f 84 91 06 00 00 je 67b669 <http_header_hkey_get+0x829> 67afd8: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67afdd: 48 8b 0d ec 46 2f 00 mov 0x2f46ec(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67afe4: 48 35 0d 88 00 00 xor $0x880d,%rax 67afea: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67afee: 64 41 c7 45 00 06 44 movl $0x4406,%fs:0x0(%r13) 67aff5: 00 00 67aff7: 40 f6 c5 01 test $0x1,%bpl 67affb: 0f 84 4e 04 00 00 je 67b44f <http_header_hkey_get+0x60f> 67b001: 41 80 ce 20 or $0x20,%r14b 67b005: 48 8d 56 01 lea 0x1(%rsi),%rdx 67b009: 4d 8d 47 ff lea -0x1(%r15),%r8 67b00d: 0f 1f 00 nopl (%rax) 67b010: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b015: 48 8b 0d b4 46 2f 00 mov 0x2f46b4(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b01c: 48 35 93 df 00 00 xor $0xdf93,%rax 67b022: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b026: 64 41 c7 45 00 c9 6f movl $0x6fc9,%fs:0x0(%r13) 67b02d: 00 00 67b02f: f6 c3 01 test $0x1,%bl 67b032: 0f 85 5e 02 00 00 jne 67b296 <http_header_hkey_get+0x456> 67b038: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b03d: 48 8b 0d 8c 46 2f 00 mov 0x2f468c(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b044: 48 35 b2 94 00 00 xor $0x94b2,%rax 67b04a: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b04e: 64 41 c7 45 00 59 4a movl $0x4a59,%fs:0x0(%r13) 67b055: 00 00 67b057: 48 8b 05 72 46 2f 00 mov 0x2f4672(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b05e: 80 80 5b 95 00 00 01 addb $0x1,0x955b(%rax) 67b065: 48 8d 6b 04 lea 0x4(%rbx),%rbp 67b069: 64 41 c7 45 00 81 6f movl $0x6f81,%fs:0x0(%r13) 67b070: 00 00 67b072: 40 f6 c5 01 test $0x1,%bpl 67b076: 0f 85 57 02 00 00 jne 67b2d3 <http_header_hkey_get+0x493> 67b07c: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b081: 48 8b 0d 48 46 2f 00 mov 0x2f4648(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b088: 48 35 a6 1e 00 00 xor $0x1ea6,%rax 67b08e: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b092: 64 41 c7 45 00 53 0f movl $0xf53,%fs:0x0(%r13) 67b099: 00 00 67b09b: 48 89 e8 mov %rbp,%rax 67b09e: 48 c1 e8 03 shr $0x3,%rax 67b0a2: 0f b6 80 00 80 ff 7f movzbl 0x7fff8000(%rax),%eax 67b0a9: 84 c0 test %al,%al 67b0ab: 0f 85 bd 01 00 00 jne 67b26e <http_header_hkey_get+0x42e> 67b0b1: 44 3a 73 04 cmp 0x4(%rbx),%r14b 67b0b5: 0f 84 d6 00 00 00 je 67b191 <http_header_hkey_get+0x351> 67b0bb: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b0c0: 48 8b 0d 09 46 2f 00 mov 0x2f4609(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b0c7: 48 35 77 81 00 00 xor $0x8177,%rax 67b0cd: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b0d1: 64 41 c7 45 00 bb 40 movl $0x40bb,%fs:0x0(%r13) 67b0d8: 00 00 67b0da: 48 8d 6b 20 lea 0x20(%rbx),%rbp 67b0de: 48 83 fb df cmp $0xffffffffffffffdf,%rbx 67b0e2: 0f 87 b2 02 00 00 ja 67b39a <http_header_hkey_get+0x55a> 67b0e8: 48 85 ed test %rbp,%rbp 67b0eb: 0f 84 a9 02 00 00 je 67b39a <http_header_hkey_get+0x55a> 67b0f1: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b0f6: 48 8b 0d d3 45 2f 00 mov 0x2f45d3(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b0fd: 48 35 14 ee 00 00 xor $0xee14,%rax 67b103: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b107: 64 41 c7 45 00 0a 77 movl $0x770a,%fs:0x0(%r13) 67b10e: 00 00 67b110: 40 f6 c5 01 test $0x1,%bpl 67b114: 0f 85 fa 01 00 00 jne 67b314 <http_header_hkey_get+0x4d4> 67b11a: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b11f: 48 8b 0d aa 45 2f 00 mov 0x2f45aa(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b126: 48 35 b6 f8 00 00 xor $0xf8b6,%rax 67b12c: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b130: 64 41 c7 45 00 5b 7c movl $0x7c5b,%fs:0x0(%r13) 67b137: 00 00 67b139: 4c 8d 63 22 lea 0x22(%rbx),%r12 67b13d: 41 f6 c4 01 test $0x1,%r12b 67b141: 0f 85 0e 02 00 00 jne 67b355 <http_header_hkey_get+0x515> 67b147: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b14c: 48 8b 0d 7d 45 2f 00 mov 0x2f457d(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b153: 48 35 6c 2d 00 00 xor $0x2d6c,%rax 67b159: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b15d: 64 41 c7 45 00 b6 16 movl $0x16b6,%fs:0x0(%r13) 67b164: 00 00 67b166: 4c 89 e0 mov %r12,%rax 67b169: 48 c1 e8 03 shr $0x3,%rax 67b16d: 0f b6 80 00 80 ff 7f movzbl 0x7fff8000(%rax),%eax 67b174: 84 c0 test %al,%al 67b176: 0f 85 04 01 00 00 jne 67b280 <http_header_hkey_get+0x440> 67b17c: 0f b7 43 22 movzwl 0x22(%rbx),%eax 67b180: 48 89 eb mov %rbp,%rbx 67b183: 4c 39 f8 cmp %r15,%rax 67b186: 0f 84 84 fe ff ff je 67b010 <http_header_hkey_get+0x1d0> 67b18c: e9 be 02 00 00 jmpq 67b44f <http_header_hkey_get+0x60f> 67b191: 48 8b 05 38 45 2f 00 mov 0x2f4538(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b198: 80 80 8e 0f 00 00 01 addb $0x1,0xf8e(%rax) 67b19f: 64 41 c7 45 00 6e 00 movl $0x6e,%fs:0x0(%r13) 67b1a6: 00 00 67b1a8: 48 83 fe ff cmp $0xffffffffffffffff,%rsi 67b1ac: 0f 84 2c 02 00 00 je 67b3de <http_header_hkey_get+0x59e> 67b1b2: 48 89 34 24 mov %rsi,(%rsp) 67b1b6: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b1bb: 48 8b 0d 0e 45 2f 00 mov 0x2f450e(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b1c2: 48 35 f7 f5 00 00 xor $0xf5f7,%rax 67b1c8: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b1cc: 64 41 c7 45 00 fb 7a movl $0x7afb,%fs:0x0(%r13) 67b1d3: 00 00 67b1d5: 48 8b 05 f4 44 2f 00 mov 0x2f44f4(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b1dc: 80 80 4f f0 00 00 01 addb $0x1,0xf04f(%rax) 67b1e3: 64 41 c7 45 00 5a 45 movl $0x455a,%fs:0x0(%r13) 67b1ea: 00 00 67b1ec: f6 c3 01 test $0x1,%bl 67b1ef: 0f 85 25 02 00 00 jne 67b41a <http_header_hkey_get+0x5da> 67b1f5: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b1fa: 48 8b 0d cf 44 2f 00 mov 0x2f44cf(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b201: 48 35 af 32 00 00 xor $0x32af,%rax 67b207: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b20b: 64 41 c7 45 00 57 19 movl $0x1957,%fs:0x0(%r13) 67b212: 00 00 67b214: 48 8b 05 b5 44 2f 00 mov 0x2f44b5(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b21b: 80 80 99 0a 00 00 01 addb $0x1,0xa99(%rax) 67b222: 48 8d 73 05 lea 0x5(%rbx),%rsi 67b226: 64 41 c7 45 00 e7 09 movl $0x9e7,%fs:0x0(%r13) 67b22d: 00 00 67b22f: 48 8b 05 9a 44 2f 00 mov 0x2f449a(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b236: 80 80 40 a4 00 00 01 addb $0x1,0xa440(%rax) 67b23d: 64 41 c7 45 00 d3 56 movl $0x56d3,%fs:0x0(%r13) 67b244: 00 00 67b246: 48 89 d7 mov %rdx,%rdi 67b249: 48 89 d5 mov %rdx,%rbp 67b24c: 4c 89 c2 mov %r8,%rdx 67b24f: 4d 89 c4 mov %r8,%r12 67b252: e8 b9 b3 fd ff callq 656610 <buffer_eq_icase_ssn> 67b257: 4d 89 e0 mov %r12,%r8 67b25a: 48 89 ea mov %rbp,%rdx 67b25d: 85 c0 test %eax,%eax 67b25f: 48 8b 34 24 mov (%rsp),%rsi 67b263: 0f 84 52 fe ff ff je 67b0bb <http_header_hkey_get+0x27b> 67b269: e9 76 02 00 00 jmpq 67b4e4 <http_header_hkey_get+0x6a4> 67b26e: 89 e9 mov %ebp,%ecx 67b270: 80 e1 07 and $0x7,%cl 67b273: 38 c1 cmp %al,%cl 67b275: 0f 8c 36 fe ff ff jl 67b0b1 <http_header_hkey_get+0x271> 67b27b: e9 35 04 00 00 jmpq 67b6b5 <http_header_hkey_get+0x875> 67b280: 44 89 e1 mov %r12d,%ecx 67b283: 80 e1 07 and $0x7,%cl 67b286: 80 c1 01 add $0x1,%cl 67b289: 38 c1 cmp %al,%cl 67b28b: 0f 8c eb fe ff ff jl 67b17c <http_header_hkey_get+0x33c> 67b291: e9 27 04 00 00 jmpq 67b6bd <http_header_hkey_get+0x87d> 67b296: 48 8b 05 33 44 2f 00 mov 0x2f4433(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b29d: 80 80 df cc 00 00 01 addb $0x1,0xccdf(%rax) 67b2a4: 64 41 c7 45 00 8b 51 movl $0x518b,%fs:0x0(%r13) 67b2ab: 00 00 67b2ad: bf a0 2b 91 00 mov $0x912ba0,%edi 67b2b2: 48 89 34 24 mov %rsi,(%rsp) 67b2b6: 48 89 de mov %rbx,%rsi 67b2b9: 48 89 d5 mov %rdx,%rbp 67b2bc: 4d 89 c4 mov %r8,%r12 67b2bf: e8 4c c8 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b2c4: 4d 89 e0 mov %r12,%r8 67b2c7: 48 89 ea mov %rbp,%rdx 67b2ca: 48 8b 34 24 mov (%rsp),%rsi 67b2ce: e9 65 fd ff ff jmpq 67b038 <http_header_hkey_get+0x1f8> 67b2d3: 48 8b 05 f6 43 2f 00 mov 0x2f43f6(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b2da: 80 80 9c c7 00 00 01 addb $0x1,0xc79c(%rax) 67b2e1: 64 41 c7 45 00 0e 54 movl $0x540e,%fs:0x0(%r13) 67b2e8: 00 00 67b2ea: bf c0 2b 91 00 mov $0x912bc0,%edi 67b2ef: 48 89 34 24 mov %rsi,(%rsp) 67b2f3: 48 89 ee mov %rbp,%rsi 67b2f6: 49 89 d4 mov %rdx,%r12 67b2f9: 4c 89 44 24 08 mov %r8,0x8(%rsp) 67b2fe: e8 0d c8 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b303: 4c 8b 44 24 08 mov 0x8(%rsp),%r8 67b308: 4c 89 e2 mov %r12,%rdx 67b30b: 48 8b 34 24 mov (%rsp),%rsi 67b30f: e9 68 fd ff ff jmpq 67b07c <http_header_hkey_get+0x23c> 67b314: 48 8b 05 b5 43 2f 00 mov 0x2f43b5(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b31b: 80 80 1a a9 00 00 01 addb $0x1,0xa91a(%rax) 67b322: 64 41 c7 45 00 08 6f movl $0x6f08,%fs:0x0(%r13) 67b329: 00 00 67b32b: bf 60 2c 91 00 mov $0x912c60,%edi 67b330: 48 89 34 24 mov %rsi,(%rsp) 67b334: 48 89 ee mov %rbp,%rsi 67b337: 49 89 d4 mov %rdx,%r12 67b33a: 4c 89 44 24 08 mov %r8,0x8(%rsp) 67b33f: e8 cc c7 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b344: 4c 8b 44 24 08 mov 0x8(%rsp),%r8 67b349: 4c 89 e2 mov %r12,%rdx 67b34c: 48 8b 34 24 mov (%rsp),%rsi 67b350: e9 c5 fd ff ff jmpq 67b11a <http_header_hkey_get+0x2da> 67b355: 48 8b 05 74 43 2f 00 mov 0x2f4374(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b35c: 80 80 78 ad 00 00 01 addb $0x1,0xad78(%rax) 67b363: 64 41 c7 45 00 91 68 movl $0x6891,%fs:0x0(%r13) 67b36a: 00 00 67b36c: bf 80 2c 91 00 mov $0x912c80,%edi 67b371: 48 89 34 24 mov %rsi,(%rsp) 67b375: 4c 89 e6 mov %r12,%rsi 67b378: 48 89 54 24 10 mov %rdx,0x10(%rsp) 67b37d: 4c 89 44 24 08 mov %r8,0x8(%rsp) 67b382: e8 89 c7 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b387: 4c 8b 44 24 08 mov 0x8(%rsp),%r8 67b38c: 48 8b 54 24 10 mov 0x10(%rsp),%rdx 67b391: 48 8b 34 24 mov (%rsp),%rsi 67b395: e9 ad fd ff ff jmpq 67b147 <http_header_hkey_get+0x307> 67b39a: 48 8b 05 2f 43 2f 00 mov 0x2f432f(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b3a1: 80 80 55 ee 00 00 01 addb $0x1,0xee55(%rax) 67b3a8: 64 41 c7 45 00 77 57 movl $0x5777,%fs:0x0(%r13) 67b3af: 00 00 67b3b1: bf 50 2c 91 00 mov $0x912c50,%edi 67b3b6: 48 89 34 24 mov %rsi,(%rsp) 67b3ba: 48 89 de mov %rbx,%rsi 67b3bd: 48 89 54 24 10 mov %rdx,0x10(%rsp) 67b3c2: 48 89 ea mov %rbp,%rdx 67b3c5: 4d 89 c4 mov %r8,%r12 67b3c8: e8 23 02 e5 ff callq 4cb5f0 <__ubsan_handle_pointer_overflow> 67b3cd: 4d 89 e0 mov %r12,%r8 67b3d0: 48 8b 54 24 10 mov 0x10(%rsp),%rdx 67b3d5: 48 8b 34 24 mov (%rsp),%rsi 67b3d9: e9 13 fd ff ff jmpq 67b0f1 <http_header_hkey_get+0x2b1> 67b3de: 48 8b 05 eb 42 2f 00 mov 0x2f42eb(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b3e5: 80 80 1e 36 00 00 01 addb $0x1,0x361e(%rax) 67b3ec: 64 41 c7 45 00 38 1b movl $0x1b38,%fs:0x0(%r13) 67b3f3: 00 00 67b3f5: bf e0 2b 91 00 mov $0x912be0,%edi 67b3fa: 49 89 f4 mov %rsi,%r12 67b3fd: 48 89 d5 mov %rdx,%rbp 67b400: 4c 89 44 24 08 mov %r8,0x8(%rsp) 67b405: e8 e6 01 e5 ff callq 4cb5f0 <__ubsan_handle_pointer_overflow> 67b40a: 4c 8b 44 24 08 mov 0x8(%rsp),%r8 67b40f: 48 89 ea mov %rbp,%rdx 67b412: 4c 89 e6 mov %r12,%rsi 67b415: e9 98 fd ff ff jmpq 67b1b2 <http_header_hkey_get+0x372> 67b41a: 48 8b 05 af 42 2f 00 mov 0x2f42af(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b421: 80 80 af 1a 00 00 01 addb $0x1,0x1aaf(%rax) 67b428: 64 41 c7 45 00 fa 2f movl $0x2ffa,%fs:0x0(%r13) 67b42f: 00 00 67b431: bf f0 2b 91 00 mov $0x912bf0,%edi 67b436: 48 89 de mov %rbx,%rsi 67b439: 49 89 d4 mov %rdx,%r12 67b43c: 4c 89 c5 mov %r8,%rbp 67b43f: e8 cc c6 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b444: 49 89 e8 mov %rbp,%r8 67b447: 4c 89 e2 mov %r12,%rdx 67b44a: e9 a6 fd ff ff jmpq 67b1f5 <http_header_hkey_get+0x3b5> 67b44f: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b454: 48 8b 0d 75 42 2f 00 mov 0x2f4275(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b45b: 48 35 21 e6 00 00 xor $0xe621,%rax 67b461: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b465: 64 41 c7 45 00 10 73 movl $0x7310,%fs:0x0(%r13) 67b46c: 00 00 67b46e: b1 01 mov $0x1,%cl 67b470: 64 49 63 55 00 movslq %fs:0x0(%r13),%rdx 67b475: 48 8b 35 54 42 2f 00 mov 0x2f4254(%rip),%rsi # 96f6d0 <__afl_area_ptr> 67b47c: 48 81 f2 b3 c1 00 00 xor $0xc1b3,%rdx 67b483: 80 04 16 01 addb $0x1,(%rsi,%rdx,1) 67b487: 64 41 c7 45 00 d9 60 movl $0x60d9,%fs:0x0(%r13) 67b48e: 00 00 67b490: 84 c9 test %cl,%cl 67b492: 74 21 je 67b4b5 <http_header_hkey_get+0x675> 67b494: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b499: 48 8b 0d 30 42 2f 00 mov 0x2f4230(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b4a0: 48 35 1f f8 00 00 xor $0xf81f,%rax 67b4a6: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b4aa: 64 41 c7 45 00 0f 7c movl $0x7c0f,%fs:0x0(%r13) 67b4b1: 00 00 67b4b3: 31 c0 xor %eax,%eax 67b4b5: 64 49 63 4d 00 movslq %fs:0x0(%r13),%rcx 67b4ba: 48 8b 15 0f 42 2f 00 mov 0x2f420f(%rip),%rdx # 96f6d0 <__afl_area_ptr> 67b4c1: 48 81 f1 fb d3 00 00 xor $0xd3fb,%rcx 67b4c8: 80 04 0a 01 addb $0x1,(%rdx,%rcx,1) 67b4cc: 64 41 c7 45 00 fd 69 movl $0x69fd,%fs:0x0(%r13) 67b4d3: 00 00 67b4d5: 48 83 c4 18 add $0x18,%rsp 67b4d9: 5b pop %rbx 67b4da: 41 5c pop %r12 67b4dc: 41 5d pop %r13 67b4de: 41 5e pop %r14 67b4e0: 41 5f pop %r15 67b4e2: 5d pop %rbp 67b4e3: c3 retq 67b4e4: 48 8b 05 e5 41 2f 00 mov 0x2f41e5(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b4eb: 80 80 6b 8b 00 00 01 addb $0x1,0x8b6b(%rax) 67b4f2: 64 41 c7 45 00 dc 6e movl $0x6edc,%fs:0x0(%r13) 67b4f9: 00 00 67b4fb: f6 c3 01 test $0x1,%bl 67b4fe: 0f 85 c1 01 00 00 jne 67b6c5 <http_header_hkey_get+0x885> 67b504: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b509: 48 8b 0d c0 41 2f 00 mov 0x2f41c0(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b510: 48 35 ef d8 00 00 xor $0xd8ef,%rax 67b516: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b51a: 64 41 c7 45 00 77 6c movl $0x6c77,%fs:0x0(%r13) 67b521: 00 00 67b523: f6 c3 01 test $0x1,%bl 67b526: 0f 85 c2 01 00 00 jne 67b6ee <http_header_hkey_get+0x8ae> 67b52c: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b531: 48 8b 0d 98 41 2f 00 mov 0x2f4198(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b538: 48 35 1b 95 00 00 xor $0x951b,%rax 67b53e: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b542: 64 41 c7 45 00 8d 4a movl $0x4a8d,%fs:0x0(%r13) 67b549: 00 00 67b54b: 48 89 d8 mov %rbx,%rax 67b54e: 48 c1 e8 03 shr $0x3,%rax 67b552: 8a 80 00 80 ff 7f mov 0x7fff8000(%rax),%al 67b558: 84 c0 test %al,%al 67b55a: 0f 85 3d 01 00 00 jne 67b69d <http_header_hkey_get+0x85d> 67b560: 0f bf 03 movswl (%rbx),%eax 67b563: 31 c9 xor %ecx,%ecx 67b565: e9 06 ff ff ff jmpq 67b470 <http_header_hkey_get+0x630> 67b56a: 89 d9 mov %ebx,%ecx 67b56c: 80 e1 07 and $0x7,%cl 67b56f: 38 c1 cmp %al,%cl 67b571: 0f 8c 94 f9 ff ff jl 67af0b <http_header_hkey_get+0xcb> 67b577: 48 89 df mov %rbx,%rdi 67b57a: e8 61 7b e2 ff callq 4a30e0 <__asan_report_load1> 67b57f: 89 f1 mov %esi,%ecx 67b581: 80 e1 07 and $0x7,%cl 67b584: 38 c1 cmp %al,%cl 67b586: 0f 8c db f9 ff ff jl 67af67 <http_header_hkey_get+0x127> 67b58c: 48 89 f7 mov %rsi,%rdi 67b58f: e8 4c 7b e2 ff callq 4a30e0 <__asan_report_load1> 67b594: 48 8b 05 35 41 2f 00 mov 0x2f4135(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b59b: 80 80 2d c1 00 00 01 addb $0x1,0xc12d(%rax) 67b5a2: 64 41 c7 45 00 79 40 movl $0x4079,%fs:0x0(%r13) 67b5a9: 00 00 67b5ab: bf 30 2b 91 00 mov $0x912b30,%edi 67b5b0: 48 89 f5 mov %rsi,%rbp 67b5b3: be e0 31 86 00 mov $0x8631e0,%esi 67b5b8: 48 89 da mov %rbx,%rdx 67b5bb: e8 30 00 e5 ff callq 4cb5f0 <__ubsan_handle_pointer_overflow> 67b5c0: 48 89 ee mov %rbp,%rsi 67b5c3: e9 f8 f8 ff ff jmpq 67aec0 <http_header_hkey_get+0x80> 67b5c8: 48 8b 05 01 41 2f 00 mov 0x2f4101(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b5cf: 80 80 c1 5d 00 00 01 addb $0x1,0x5dc1(%rax) 67b5d6: 64 41 c7 45 00 9d 35 movl $0x359d,%fs:0x0(%r13) 67b5dd: 00 00 67b5df: bf 40 2b 91 00 mov $0x912b40,%edi 67b5e4: 48 89 f5 mov %rsi,%rbp 67b5e7: 48 89 f2 mov %rsi,%rdx 67b5ea: e8 01 00 e5 ff callq 4cb5f0 <__ubsan_handle_pointer_overflow> 67b5ef: 64 49 63 45 00 movslq %fs:0x0(%r13),%rax 67b5f4: 48 8b 0d d5 40 2f 00 mov 0x2f40d5(%rip),%rcx # 96f6d0 <__afl_area_ptr> 67b5fb: 48 35 8f f3 00 00 xor $0xf38f,%rax 67b601: 80 04 01 01 addb $0x1,(%rcx,%rax,1) 67b605: 64 41 c7 45 00 c7 79 movl $0x79c7,%fs:0x0(%r13) 67b60c: 00 00 67b60e: 48 8b 05 bb 40 2f 00 mov 0x2f40bb(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b615: 80 80 df 95 00 00 01 addb $0x1,0x95df(%rax) 67b61c: 64 41 c7 45 00 0c 76 movl $0x760c,%fs:0x0(%r13) 67b623: 00 00 67b625: bf 50 2b 91 00 mov $0x912b50,%edi 67b62a: 48 89 ee mov %rbp,%rsi 67b62d: e8 de c4 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b632: 48 89 ee mov %rbp,%rsi 67b635: e9 f9 f8 ff ff jmpq 67af33 <http_header_hkey_get+0xf3> 67b63a: 48 8b 05 8f 40 2f 00 mov 0x2f408f(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b641: 80 80 5e 74 00 00 01 addb $0x1,0x745e(%rax) 67b648: 64 41 c7 45 00 05 26 movl $0x2605,%fs:0x0(%r13) 67b64f: 00 00 67b651: bf 70 2b 91 00 mov $0x912b70,%edi 67b656: 49 89 f4 mov %rsi,%r12 67b659: 48 89 de mov %rbx,%rsi 67b65c: e8 ef e2 e4 ff callq 4c9950 <__ubsan_handle_out_of_bounds> 67b661: 4c 89 e6 mov %r12,%rsi 67b664: e9 1f f9 ff ff jmpq 67af88 <http_header_hkey_get+0x148> 67b669: 48 8b 05 60 40 2f 00 mov 0x2f4060(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b670: 80 80 a2 e9 00 00 01 addb $0x1,0xe9a2(%rax) 67b677: 64 41 c7 45 00 b8 47 movl $0x47b8,%fs:0x0(%r13) 67b67e: 00 00 67b680: bf 90 2b 91 00 mov $0x912b90,%edi 67b685: 49 89 f4 mov %rsi,%r12 67b688: be 40 32 86 00 mov $0x863240,%esi 67b68d: 48 89 da mov %rbx,%rdx 67b690: e8 5b ff e4 ff callq 4cb5f0 <__ubsan_handle_pointer_overflow> 67b695: 4c 89 e6 mov %r12,%rsi 67b698: e9 3b f9 ff ff jmpq 67afd8 <http_header_hkey_get+0x198> 67b69d: 89 d9 mov %ebx,%ecx 67b69f: 80 e1 07 and $0x7,%cl 67b6a2: 80 c1 01 add $0x1,%cl 67b6a5: 38 c1 cmp %al,%cl 67b6a7: 0f 8c b3 fe ff ff jl 67b560 <http_header_hkey_get+0x720> 67b6ad: 48 89 df mov %rbx,%rdi 67b6b0: e8 cb 7a e2 ff callq 4a3180 <__asan_report_load2> 67b6b5: 48 89 ef mov %rbp,%rdi 67b6b8: e8 23 7a e2 ff callq 4a30e0 <__asan_report_load1> 67b6bd: 4c 89 e7 mov %r12,%rdi 67b6c0: e8 bb 7a e2 ff callq 4a3180 <__asan_report_load2> 67b6c5: 48 8b 05 04 40 2f 00 mov 0x2f4004(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b6cc: 80 80 30 b8 00 00 01 addb $0x1,0xb830(%rax) 67b6d3: 64 41 c7 45 00 76 6b movl $0x6b76,%fs:0x0(%r13) 67b6da: 00 00 67b6dc: bf 10 2c 91 00 mov $0x912c10,%edi 67b6e1: 48 89 de mov %rbx,%rsi 67b6e4: e8 27 c4 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b6e9: e9 16 fe ff ff jmpq 67b504 <http_header_hkey_get+0x6c4> 67b6ee: 48 8b 05 db 3f 2f 00 mov 0x2f3fdb(%rip),%rax # 96f6d0 <__afl_area_ptr> 67b6f5: 80 80 d3 d5 00 00 01 addb $0x1,0xd5d3(%rax) 67b6fc: 64 41 c7 45 00 d2 5c movl $0x5cd2,%fs:0x0(%r13) 67b703: 00 00 67b705: bf 30 2c 91 00 mov $0x912c30,%edi 67b70a: 48 89 de mov %rbx,%rsi 67b70d: e8 fe c3 e4 ff callq 4c7b10 <__ubsan_handle_type_mismatch_v1> 67b712: e9 15 fe ff ff jmpq 67b52c <http_header_hkey_get+0x6ec> Disassembly of section .fini:
Updated by gstrauss 4 months ago
The assembly of the code instrumented with -fsanitize=undefined is very long; I did not look through it.
The warning is not issued with gcc
$ gcc --version gcc (GCC) 14.2.1 20240801 (Red Hat 14.2.1-1)
The warning is issued with clang
$ clang --version clang version 18.1.6 (Fedora 18.1.6-3.fc40)
A simple reproducer is:
printf 'GET / HTTP/1.0\r\na:b\r\n\r\n' | nc 127.0.0.1 80
I think clang is being a bit too pedantic.
Actions
Also available in: Atom