Actions
Bug #393
closedInvilid RTSP OPTIONS request cause lighttpd crash.
Status:
Fixed
Priority:
High
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:
Description
The Bug is raleted with changeset:579
http://trac.lighttpd.net/trac/changeset/579
In connection_handle_write_prepare(connections.c:354)
For OPTIONS request, con->uri.path->ptrr0 is accessed directly.
But if I send this request
OPTIONS rtsp://221.192.134.146:80 RTSP/1.1 Host: 221.192.134.146:80
http_request_parse(request.c:271) will set status to 400
and leave the uri path's ptr NULL perhaps.
So we should check the status of connection before check uri.path.
The lighttpd version I used is 1.4.7
The following text is backtrace of core file
(gdb) bt
#0 0x0805155b in connection_state_machine (srv=0x9eb8008, con=0x9ec7080) at connections.c:357
#1 0x0804dfa9 in main (argc=4, argv=0xbfe14b34) at server.c:1115
(gdb) print *con
$32 = {state = CON_STATE_RESPONSE_START, read_idle_ts = 1133260272, close_timeout_ts = 0, write_request_ts = 0,
connection_start = 1133260272, request_start = 1133260272, start_tv = {tv_sec = 0, tv_usec = 0},
request_count = 1, loops_per_request = 0, fd = 6, fde_ndx = 6, ndx = 0, is_readable = 0, is_writable = 1,
keep_alive = 0, file_started = 0, file_finished = 0, write_queue = 0x9ec72b8, read_queue = 0x9ec72e0,
request_content_queue = 0x9ec7308, traffic_limit_reached = 0, bytes_written = 0,
bytes_written_cur_second = 0, bytes_read = 405, bytes_header = 0, http_status = 400, dst_addr = {ipv4 = {
sin_family = 2, sin_port = 32527, sin_addr = {s_addr = 2004588243},
sin_zero = "\000\000\000\000\000\000\000"}, plain = {sa_family = 2,
sa_data = "\017\177?226{w\000\000\000\000\000\000\000"}}, dst_addr_buf = 0x9ec72a8,
parse_request = 0x9ec7268, parsed_response = 0, request = {request = 0x9ec6d60, uri = 0x9ec6d40,
orig_uri = 0x9ec6d80, http_method = HTTP_METHOD_OPTIONS, http_version = HTTP_VERSION_UNSET,
request_line = 0x9ec6d50, http_host = 0x0, http_range = 0x0, http_content_type = 0x0,
http_if_modified_since = 0x0, http_if_none_match = 0x0, headers = 0x9ec7330, content_length = 0,
accept_encoding = 0, pathinfo = 0x9ec6d70}, uri = {scheme = 0x9ec6d90, authority = 0x9ec6da0,
path = 0x9ec6db0, path_raw = 0x9ec6dc0, query = 0x9ec6dd0}, physical = {path = 0x9ec7228,
basedir = 0x9ec7238, doc_root = 0x9ec6de0, rel_path = 0x9ec7248, etag = 0x9ec7258}, response = {
content_length = -1, keep_alive = 0, headers = 0x9ec7350,
transfer_encoding = HTTP_TRANSFER_ENCODING_IDENTITY}, header_len = 0, authed_user = 0x9ec7278,
environment = 0x9ec7370, got_response = 0, in_joblist = 0, mode = DIRECT, plugin_ctx = 0x9ec7390, conf = {
mimetypes = 0x9eb9678, document_root = 0x9eba388, server_name = 0x0, error_handler = 0x9eba1d8,
server_tag = 0x9eba1c8, dirlist_encoding = 0x0, errorfile_prefix = 0x9eba100, max_keep_alive_requests = 16,
max_keep_alive_idle = 5, max_read_idle = 60, max_write_idle = 360, use_xattr = 0, follow_symlink = 1,
range_requests = 1, log_file_not_found = 0, log_request_header = 0, log_request_handling = 0,
log_response_header = 0, log_condition_handling = 0, ssl_pemfile = 0x9eba2b0, ssl_ca_file = 0x9eba2a0,
use_ipv6 = 0, is_ssl = 0, allow_http11 = 1, force_lower_case = 0, max_request_size = 0,
kbytes_per_second = 0, global_kbytes_per_second = 0, global_bytes_per_second_cnt = 0,
global_bytes_per_second_cnt_ptr = 0x9eba6b4, ssl_ctx = 0x0}, cond_cache = 0x9ec73e8,
server_name = 0x9ec7288, error_handler = 0x9ec7298, error_handler_saved_status = 0, in_error_handler = 0,
srv_socket = 0x9ec3378, ssl = 0x0}
(gdb) print *con->uri.path
$33 = {ptr = 0x0, used = 0, size = 0}
-- scaner
Updated by jan over 18 years ago
- Status changed from New to Fixed
- Resolution set to fixed
we have a testcase for this request since a while and it looks like this bug got fixed.
Actions
Also available in: Atom