netbsd-bugs: pkg/8307: apache6 segv's in do_double

Subject: pkg/8307: apache6 segv's in do_double_reverse()
To: None <gnats-bugs@gnats.netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: netbsd-bugs
Date: 08/31/1999 23:50:49
>Number:         8307
>Category:       pkg
>Synopsis:       apache6 segv's in do_double_reverse()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager (NetBSD software packages system bug manager)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Aug 31 23:50:00 1999
>Last-Modified:
>Originator:     Wolfgang Rupprecht
>Organization:
W S Rupprecht Computer Consulting, Fremont CA
>Release:        NetBSD-current Aug 30 1999
>Environment:
	
System: NetBSD capsicum.wsrcc.com 1.4K NetBSD 1.4K (WSRCC) #0: Thu Aug 26 16:46:07 PDT 1999 root@capsicum.wsrcc.com:/v/src/netbsd/NetBSD-current/usr/src/sys/arch/i386/compile/WSRCC i386


>Description:
	attempting to http to a restricted directory (eg. one with a host restriction) causes apache6 
	to segv.

>How-To-Repeat:
	create a http directory that is off-limits to the world, but readable from a certain host.
	view it from the allowed host.  watch apache segv.

Program received signal SIGSEGV, Segmentation fault.
0x806e11e in ap_get_remote_host (conn=0x8102014, dir_config=0x8104f2c, type=3)
    at http_core.c:569
(gdb) bt
Reading in symbols for mod_access.c...done.
Reading in symbols for http_request.c...done.
Reading in symbols for http_main.c...done.
#0  0x806e11e in ap_get_remote_host (conn=0x8102014, dir_config=0x8104f2c, 
    type=3) at http_core.c:569
#1  0x8065bd1 in find_allowdeny (r=0x8104034, a=0x80b48e4, method=0)
    at mod_access.c:534
#2  0x8065caa in check_dir_access (r=0x8104034) at mod_access.c:574
#3  0x806bab6 in run_method (r=0x8104034, offset=15, run_all=1)
    at http_config.c:360
#4  0x806bb13 in ap_check_access (r=0x8104034) at http_config.c:377
#5  0x8079282 in process_request_internal (r=0x8104034) at http_request.c:1155
#6  0x80794b7 in ap_process_request (r=0x8104034) at http_request.c:1228
#7  0x8073868 in child_main (child_num_arg=0) at http_main.c:3911
#8  0x80739a7 in make_child (s=0x809e034, slot=0, now=936165541)
    at http_main.c:3983
#9  0x8073aa4 in startup_children (number_to_start=5) at http_main.c:4063
#10 0x8073f5f in standalone_main (argc=4, argv=0xefbfd84c) at http_main.c:4350
#11 0x807463b in main (argc=4, argv=0xefbfd84c) at http_main.c:4660
#12 0x804e4e9 in _start ()

>Fix:

This appears to be a typo which causes uninitialized data to be used as the host's addrinfo.

cd /v/obj/www/apache6/work/apache_1.3.6/src/main/
diff -u /v/obj/www/apache6/work/apache_1.3.6/src/main/http_core.c.\~1\~ /v/obj/www/apache6/work/apache_1.3.6/src/main/http_core.c
--- /v/obj/www/apache6/work/apache_1.3.6/src/main/http_core.c.~1~	Tue Aug 31 22:25:15 1999
+++ /v/obj/www/apache6/work/apache_1.3.6/src/main/http_core.c	Tue Aug 31 23:27:40 1999
@@ -557,7 +557,7 @@
     }
     memset(&hints, 0, sizeof(hints));
     hints.ai_family = PF_UNSPEC;
-    if (getaddrinfo(conn->remote_host, NULL, &hints, &res)) {
+    if (getaddrinfo(conn->remote_host, NULL, &hints, &res0)) {
 	conn->double_reverse = -1;
 	return;
     }

Diff exited abnormally with code 1 at Tue Aug 31 23:33:15

>Audit-Trail:
>Unformatted: