bin/54080: bozohttpd prone to null pointer de-reference (SEGV)

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/54080: bozohttpd prone to null pointer de-reference (SEGV)
From: he%uninett.no@localhost
Date: Tue, 26 Mar 2019 16:00:00 +0000 (UTC)

>Number:         54080
>Category:       bin
>Synopsis:       bozohttpd prone to null pointer de-reference (SEGV)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 26 16:00:00 +0000 2019
>Originator:     he%uninett.no@localhost
>Release:        NetBSD 8.0
>Organization:
	Uninett AS
>Environment:
System: NetBSD xxxx.uninett.no 8.0 NetBSD 8.0 (GENERIC) #0: Sun Aug 5 00:07:14 CEST 2018 he%uninett.no@localhost:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:

	I have a bozohttpd running on one of my hosts exposed to the
	internet at large, and recently noticed in the log that
	bozohttpd had crashed several times with SEGV.  Inspecting the
	core dump gave me:

# gdb -q /usr/obj/libexec/httpd/bozohttpd.debug /home/he/html/bozohttpd.core
Reading symbols from /usr/obj/libexec/httpd/bozohttpd.debug...done.
[New process 1]
Core was generated by `bozohttpd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  bozo_http_error (httpd=0x7f7fff0e1ea0, code=408, request=0x0, 
    msg=<optimized out>) at /usr/src/libexec/httpd/bozohttpd.c:2253
2253            if (code == 408 && request->hr_proto == httpd->consts.http_11)
(gdb) where
#0  bozo_http_error (httpd=0x7f7fff0e1ea0, code=408, request=0x0, 
    msg=<optimized out>) at /usr/src/libexec/httpd/bozohttpd.c:2253
#1  0x000070e36ccc047a in ?? ()
#2  0x8080808080808080 in ?? ()
#3  0x0000000000000000 in ?? ()
(gdb) l
2248            bozo_printf(httpd, "Content-Length: %d\r\n", size);
2249            bozo_printf(httpd, "Server: %s\r\n", httpd->server_software);
2250            if (request && request->hr_allow)
2251                    bozo_printf(httpd, "Allow: %s\r\n", request->hr_allow);
2252            /* RFC 7231 (HTTP/1.1) 6.5.7 */
2253            if (code == 408 && request->hr_proto == httpd->consts.http_11)
2254                    bozo_printf(httpd, "Connection: close\r\n");
2255            bozo_printf(httpd, "\r\n");
2256            /* According to the RFC 2616 sec. 9.4 HEAD method MUST NOT return a
2257             * message-body in the response */
(gdb) p request
$1 = (bozo_httpreq_t *) 0x0
(gdb) 

	Several other tests in this code (even visible in the list
	window) tests whether "request" is non-NULL, but not this
	particular piece of code...

>How-To-Repeat:
	Deploy an exposed bozohttpd and watch it sometimes crash.
	(I'm sure it's being "mis-used" protocol-wise, but that should
	not cause it to fall over.)

>Fix:
	Introduce a test of "request", but don't know what to do if it
	is NULL, so no code suggestion here...

Prev by Date: Re: toolchain/54076: Can not build tools
Next by Date: Re: bin/54080 (bozohttpd prone to null pointer de-reference (SEGV))
Previous by Thread: toolchain/54076: Can not build tools
Next by Thread: Re: bin/54080: bozohttpd prone to null pointer de-reference (SEGV)
Indexes:

Home | Main Index | Thread Index | Old Index