You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Kris Verbeeck <Kr...@ubizen.com> on 2002/08/26 18:20:15 UTC

[PATCH] fixes segfault in mod_cache (2.0.40)

Hi,

Someone in our QA team tried the following test:

	telnet <host> 80
	GET https://whatever.html HTTP/1.0

this resulted in a segfault for the child that handled the request.
Agreed, this is not a normal HTTP request, but firing enough of them
will surely DoS the server.

Our apache runs on Sparc/Solaris8 and 'httpd -l' gives:

  Compiled in modules:
    core.c
    mod_access.c
    mod_cache.c
    mod_disk_cache.c
    mod_deflate.c
    mod_jk.c
    mod_log_config.c
    mod_env.c
    mod_setenvif.c
    mod_ssl.c
    prefork.c
    http_core.c
    mod_mime.c
    mod_alias.c

Gdb told me that there was a null ppinter dereference in
ap_cache_get_cache_type when it tried to compare the request's
URL with the prefix from the configuration.

The patch will just return NULL when the URL is NULL and results
in no caching for that request (which seems reasonable since there
ios no URL to cache).

ps: I don't know whether the actual fix of this problem should
be in cache_util.c or somewhere in the URI parsing routines.

-- 
ir. Kris Verbeeck
Development Engineer

Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium
T:  +32 16 28 70 64
F:  +32 16 28 70 77

Ubizen - We Secure e-business - www.ubizen.com

Re: [PATCH] fixes segfault in mod_cache (2.0.40)

Posted by Ian Holsman <ia...@apache.org>.

Thanks Kris.

Keep them coming ;-)

Kris Verbeeck wrote:
> Hi,
> 
> Someone in our QA team tried the following test:
> 
> 	telnet <host> 80
> 	GET https://whatever.html HTTP/1.0
> 
> this resulted in a segfault for the child that handled the request.
> Agreed, this is not a normal HTTP request, but firing enough of them
> will surely DoS the server.
> 
> Our apache runs on Sparc/Solaris8 and 'httpd -l' gives:
> 
>   Compiled in modules:
>     core.c
>     mod_access.c
>     mod_cache.c
>     mod_disk_cache.c
>     mod_deflate.c
>     mod_jk.c
>     mod_log_config.c
>     mod_env.c
>     mod_setenvif.c
>     mod_ssl.c
>     prefork.c
>     http_core.c
>     mod_mime.c
>     mod_alias.c
> 
> Gdb told me that there was a null ppinter dereference in
> ap_cache_get_cache_type when it tried to compare the request's
> URL with the prefix from the configuration.
> 
> The patch will just return NULL when the URL is NULL and results
> in no caching for that request (which seems reasonable since there
> ios no URL to cache).
> 
> ps: I don't know whether the actual fix of this problem should
> be in cache_util.c or somewhere in the URI parsing routines.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --- httpd-2.0.40/modules/experimental/cache_util.c	Sun Jun 23 08:10:00 2002
> +++ httpd-2.0.40-PATCHED/modules/experimental/cache_util.c	Mon Aug 26 17:28:37 2002
> @@ -104,6 +104,12 @@
>      const char *type = NULL;
>      int i;
>  
> +    /* we can't cache if there's no URL
> +     * fixes segfault for 'GET https://whatever.html HTTP/1.0' request
> +     * on HTTP port (e.g. 80)
> +     */
> +    if (!url) return NULL;
> +
>      /* loop through all the cacheenable entries */
>      for (i = 0; i < conf->cacheenable->nelts; i++) {
>          struct cache_enable *ent =

Re: [PATCH] fixes segfault in mod_cache (2.0.40)

Posted by Graham Leggett <mi...@sharp.fm>.

Kris Verbeeck wrote:

> Apache behaviour with this patch (or without mod_cache):
> 
> The request:
> 
> 	GET https://whatever.html HTTP/1.0
> 
> is equivalent to:
> 
> 	GET / HTTP/1.0
> 
> I'm wondering whether this is the desired behaviour?  This is
> also the behaviour of a 1.3.x Apache.  Maybe Apache should block
> this kind of requests and return an error message??

This is correct: You are asking Apache to return the default page from a 
website called "whatever.html". As there is no virtual host configured 
called "whatever.html" it returns the / page from the default website in 
the config.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm 
	"There's a moon
					over Bourbon Street
						tonight..."

Re: [PATCH] fixes segfault in mod_cache (2.0.40)

Posted by Kris Verbeeck <Kr...@ubizen.com>.

Apache behaviour with this patch (or without mod_cache):

The request:

	GET https://whatever.html HTTP/1.0

is equivalent to:

	GET / HTTP/1.0

I'm wondering whether this is the desired behaviour?  This is
also the behaviour of a 1.3.x Apache.  Maybe Apache should block
this kind of requests and return an error message??

Kris Verbeeck wrote:
> 
> Hi,
> 
> Someone in our QA team tried the following test:
> 
>         telnet <host> 80
>         GET https://whatever.html HTTP/1.0
> 
> this resulted in a segfault for the child that handled the request.
> Agreed, this is not a normal HTTP request, but firing enough of them
> will surely DoS the server.
> 
> Our apache runs on Sparc/Solaris8 and 'httpd -l' gives:
> 
>   Compiled in modules:
>     core.c
>     mod_access.c
>     mod_cache.c
>     mod_disk_cache.c
>     mod_deflate.c
>     mod_jk.c
>     mod_log_config.c
>     mod_env.c
>     mod_setenvif.c
>     mod_ssl.c
>     prefork.c
>     http_core.c
>     mod_mime.c
>     mod_alias.c
> 
> Gdb told me that there was a null ppinter dereference in
> ap_cache_get_cache_type when it tried to compare the request's
> URL with the prefix from the configuration.
> 
> The patch will just return NULL when the URL is NULL and results
> in no caching for that request (which seems reasonable since there
> ios no URL to cache).
> 
> ps: I don't know whether the actual fix of this problem should
> be in cache_util.c or somewhere in the URI parsing routines.
> 
> --
> ir. Kris Verbeeck
> Development Engineer
> 
> Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium
> T:  +32 16 28 70 64
> F:  +32 16 28 70 77
> 
> Ubizen - We Secure e-business - www.ubizen.com
> 
>   ----------------------------------------------------------------------------------------------------------------------------------------------------------------
> --- httpd-2.0.40/modules/experimental/cache_util.c      Sun Jun 23 08:10:00 2002
> +++ httpd-2.0.40-PATCHED/modules/experimental/cache_util.c      Mon Aug 26 17:28:37 2002
> @@ -104,6 +104,12 @@
>      const char *type = NULL;
>      int i;
> 
> +    /* we can't cache if there's no URL
> +     * fixes segfault for 'GET https://whatever.html HTTP/1.0' request
> +     * on HTTP port (e.g. 80)
> +     */
> +    if (!url) return NULL;
> +
>      /* loop through all the cacheenable entries */
>      for (i = 0; i < conf->cacheenable->nelts; i++) {
>          struct cache_enable *ent =

-- 
ir. Kris Verbeeck
Development Engineer

Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium
T:  +32 16 28 70 64
F:  +32 16 28 70 77

Ubizen - We Secure e-business - www.ubizen.com