You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2020/07/14 08:25:29 UTC
[Bug 64598] New: mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
Bug ID: 64598
Summary: mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Product: Apache httpd-2
Version: 2.4.43
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_http2
Assignee: bugs@httpd.apache.org
Reporter: pgajdos@suse.cz
Target Milestone: ---
Original bug report including backtrace:
https://bugzilla.suse.com/show_bug.cgi?id=1174052
The easiest way to reproduce:
$ git clone https://github.com/pgajdos/apache-rex.git
$ cd apache-rex
$ HTTPD_MPM=worker ./run-rex mod_proxy_uwsgi-http2
[..]
$ cat /tmp/apache-rex/mod_proxy_uwsgi-http2/error_log
[Tue Jul 14 10:18:32.584670 2020] [mpm_worker:notice] [pid 670:tid
140293301127168] AH00292: Apache/2.4.43 (Linux/SUSE) OpenSSL/1.1.1g configured
-- resuming normal operations
[Tue Jul 14 10:18:32.584841 2020] [core:notice] [pid 670:tid 140293301127168]
AH00094: Command line: 'httpd -f
/tmp/apache-rex/mod_proxy_uwsgi-http2/httpd.conf'
[Tue Jul 14 10:18:37.395546 2020] [core:notice] [pid 670:tid 140293301127168]
AH00051: child pid 674 exit signal Segmentation fault (11), possible coredump
in /srv/www
[Tue Jul 14 10:18:37.412147 2020] [mpm_worker:notice] [pid 670:tid
140293301127168] AH00295: caught SIGTERM, shutting down
$
I can work out testcase which does not need apache-rex framework if you wish
and of course help other way.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #11 from Christophe JAILLET <ch...@wanadoo.fr> ---
Backported in 2.4.x in r1880773
This will be part of 2.4.47
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #6 from Petr Gajdos <pg...@suse.cz> ---
(In reply to Petr Gajdos from comment #5)
> You probably wanted
> headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val)
> : 0;
Eh,
headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val :
0);
of course.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #2 from Ruediger Pluem <rp...@apache.org> ---
Does the below patch fix your issue?
Index: modules/proxy/mod_proxy_uwsgi.c
===================================================================
--- modules/proxy/mod_proxy_uwsgi.c (revision 1879840)
+++ modules/proxy/mod_proxy_uwsgi.c (working copy)
@@ -175,7 +175,7 @@
env = (apr_table_entry_t *) env_table->elts;
for (j = 0; j < env_table->nelts; ++j) {
- headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
+ headerlen += 2 + strlen(env[j].key) + 2 + env[j].val ?
strlen(env[j].val) : 0;
}
ptr = buf = apr_palloc(r->pool, headerlen);
@@ -189,10 +189,12 @@
memcpy(ptr, env[j].key, keylen);
ptr += keylen;
- vallen = strlen(env[j].val);
+ vallen = env[j].val ? strlen(env[j].val) : 0;
*ptr++ = (apr_byte_t) (vallen & 0xff);
*ptr++ = (apr_byte_t) ((vallen >> 8) & 0xff);
- memcpy(ptr, env[j].val, vallen);
+ if (env[j].val) {
+ memcpy(ptr, env[j].val, vallen);
+ }
ptr += vallen;
}
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #3 from Petr Gajdos <pg...@suse.cz> ---
http://mail-archives.apache.org/mod_mbox/httpd-dev/202004.mbox/%3CD7404045-5A90-4547-8445-4A87758C100A@greenbytes.de%3E
This looks similar.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #4 from Petr Gajdos <pg...@suse.cz> ---
(In reply to Ruediger Pluem from comment #2)
> Does the below patch fix your issue?
>
> Index: modules/proxy/mod_proxy_uwsgi.c
> ===================================================================
> --- modules/proxy/mod_proxy_uwsgi.c (revision 1879840)
> +++ modules/proxy/mod_proxy_uwsgi.c (working copy)
> @@ -175,7 +175,7 @@
> env = (apr_table_entry_t *) env_table->elts;
>
> for (j = 0; j < env_table->nelts; ++j) {
> - headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
> + headerlen += 2 + strlen(env[j].key) + 2 + env[j].val ?
> strlen(env[j].val) : 0;
> }
>
> ptr = buf = apr_palloc(r->pool, headerlen);
> @@ -189,10 +189,12 @@
> memcpy(ptr, env[j].key, keylen);
> ptr += keylen;
>
> - vallen = strlen(env[j].val);
> + vallen = env[j].val ? strlen(env[j].val) : 0;
> *ptr++ = (apr_byte_t) (vallen & 0xff);
> *ptr++ = (apr_byte_t) ((vallen >> 8) & 0xff);
> - memcpy(ptr, env[j].val, vallen);
> + if (env[j].val) {
> + memcpy(ptr, env[j].val, vallen);
> + }
> ptr += vallen;
> }
Will check ..
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #9 from Petr Gajdos <pg...@suse.cz> ---
The reporter says everything works.
Thanks Ruediger for very very fast response!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #5 from Petr Gajdos <pg...@suse.cz> ---
You probably wanted
headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val) :
0;
right?
Now it does not crash, yes. I will ask original reporter for testing.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #8 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Petr Gajdos from comment #7)
> Heh, I actually mean
> headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val) :
> 0);
That's what I meant :-)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk,
| |PatchAvailable
--- Comment #10 from Ruediger Pluem <rp...@apache.org> ---
Committed to trunk as r1879878.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #1 from Petr Gajdos <pg...@suse.cz> ---
(gdb) frame 1
#1 0x00007ffff4838e4f in uwsgi_send_headers (r=0x55555599ac20,
conn=0x55555599ec40) at mod_proxy_uwsgi.c:178
178 headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
(gdb) p env[j]
$6 = {key = 0x7ffff59d78d8 "H2_STREAM_ID", val = 0x0, key_checksum =
1209163603}
(gdb)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 64598] mod_http2 and mod_proxy_uwsgi: segfault in
uwsgi_send_headers()
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64598
--- Comment #7 from Petr Gajdos <pg...@suse.cz> ---
Heh, I actually mean
headerlen += 2 + strlen(env[j].key) + 2 + (env[j].val ? strlen(env[j].val) :
0);
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org