NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/54080: bozohttpd prone to null pointer de-reference (SEGV)



The following reply was made to PR bin/54080; it has been noted by GNATS.

From: Leonardo Taccari <leot%NetBSD.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/54080: bozohttpd prone to null pointer de-reference (SEGV)
Date: Tue, 26 Mar 2019 17:30:54 +0100

 Hello he!
 
 he%uninett.no@localhost writes:
 > [...]
 > >Description:
 >
 > 	I have a bozohttpd running on one of my hosts exposed to the
 > 	internet at large, and recently noticed in the log that
 > 	bozohttpd had crashed several times with SEGV.  Inspecting the
 > 	core dump gave me:
 >
 > # gdb -q /usr/obj/libexec/httpd/bozohttpd.debug /home/he/html/bozohttpd.=
 core
 > Reading symbols from /usr/obj/libexec/httpd/bozohttpd.debug...done.
 > [New process 1]
 > Core was generated by `bozohttpd'.
 > Program terminated with signal SIGSEGV, Segmentation fault.
 > #0  bozo_http_error (httpd=3D0x7f7fff0e1ea0, code=3D408, request=3D0x0, =
 
 >     msg=3D<optimized out>) at /usr/src/libexec/httpd/bozohttpd.c:2253
 > 2253            if (code =3D=3D 408 && request->hr_proto =3D=3D httpd->c=
 onsts.http_11)
 > (gdb) where
 > #0  bozo_http_error (httpd=3D0x7f7fff0e1ea0, code=3D408, request=3D0x0, =
 
 >     msg=3D<optimized out>) at /usr/src/libexec/httpd/bozohttpd.c:2253
 > #1  0x000070e36ccc047a in ?? ()
 > #2  0x8080808080808080 in ?? ()
 > #3  0x0000000000000000 in ?? ()
 > (gdb) l
 > 2248            bozo_printf(httpd, "Content-Length: %d\r\n", size);
 > 2249            bozo_printf(httpd, "Server: %s\r\n", httpd->server_softw=
 are);
 > 2250            if (request && request->hr_allow)
 > 2251                    bozo_printf(httpd, "Allow: %s\r\n", request->hr_=
 allow);
 > 2252            /* RFC 7231 (HTTP/1.1) 6.5.7 */
 > 2253            if (code =3D=3D 408 && request->hr_proto =3D=3D httpd->c=
 onsts.http_11)
 > 2254                    bozo_printf(httpd, "Connection: close\r\n");
 > 2255            bozo_printf(httpd, "\r\n");
 > 2256            /* According to the RFC 2616 sec. 9.4 HEAD method MUST N=
 OT return a
 > 2257             * message-body in the response */
 > (gdb) p request
 > $1 =3D (bozo_httpreq_t *) 0x0
 > (gdb) =
 
 >
 > 	Several other tests in this code (even visible in the list
 > 	window) tests whether "request" is non-NULL, but not this
 > 	particular piece of code...
 >
 > >How-To-Repeat:
 > 	Deploy an exposed bozohttpd and watch it sometimes crash.
 > 	(I'm sure it's being "mis-used" protocol-wise, but that should
 > 	not cause it to fall over.)
 >
 > >Fix:
 > 	Introduce a test of "request", but don't know what to do if it
 > 	is NULL, so no code suggestion here...
 > [...]
 
 This was privately spotted by <maya> and fixed in
 src/libexec/httpd/bozohttpd.c,-r1.104 (that just check for `request'
 before dereferencing it as you have proposed.)
 
 (But unfortunately never pulled up.)
 


Home | Main Index | Thread Index | Old Index