bugzilla at apache
Nov 24, 2009, 5:00 AM
Post #1 of 1
(223 views)
Permalink
|
|
[Bug 48272] New: mod_proxy_fcgi crashes Apache on invalid headers
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=48272
Summary: mod_proxy_fcgi crashes Apache on invalid headers
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: PC
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Other Modules
AssignedTo: bugs [at] httpd
ReportedBy: ef-lists [at] email
Created an attachment (id=24604)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24604)
Crash Backtrace
When mod_proxy_fcgi serves as a reverse proxy, it will crash the current
instance of apache with a segfault if it receives invalid headers
(invalid in terms of the ap_scan_script_header_err_core function in
server/util_script.c).
When mod_proxy_fcgi calls ap_scan_script_header_err_brigade with the
currently read data and ap_scan_script_header_err_core detects an
invalid header, the latter function will try to soak up all data in the
brigade.
As the given brigade does not contain an EOS bucket (this is added in
mod_proxy_fcgi only when the complete FCGI stream has been read from
the backend), getsfunc_BRIGADE will try to call the read function on a
brigade sentinel and crash.
Find attached a backtrace of the crash. The line-numbers aren't
unfortunately correct anymore, but finding the corresonding source
pieces should be straight forward.
Besides that mod_proxy_fcgi (IMHO) with its pipelining approach (as
opposed to soaking the complete script output into memory before
forwarding it to the client) can't meet the preconditions to call
ap_scan_script_header_err_brigade, I'd suggest that getsfunc_BRIGADE
should be prepared in one way or another to see a brigade sentinel.
Futhermore ap_scan_script_header_err_core doesn't respect the possible
-1 return (TIMEOUT) from getsfunc_BRIGADE in the place where it soaks up
the invalid script output.
If the latter two suggestions will changed, I'd suggest this change also
for 2.2.x.
I filed this bug as PC/Linux as this is my current platform, but it
should be reproducable on any hardware/OS as far as I've seen it in the
source.
For your reference, this is the configure line I built Apache with:
./configure --with-mpm=worker --enable-so --enable-proxy
--enable-proxy-fcgi
with having APR and APU in srclib in version 1.3.9 and tested against
several trunk checkouts during the last month.
Platform is a Debian Lenny 64bit on an Intel QuadCore.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd
|
