[Bug 54828] New: Segfault in get_request_end_time() after a failed request

Wed, 10 Apr 2013 17:12:54 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=54828

            Bug ID: 54828
           Summary: Segfault in get_request_end_time() after a failed
                    request
           Product: Apache httpd-2
           Version: 2.4.4
          Hardware: Macintosh
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_log_config
          Assignee: [email protected]
          Reporter: [email protected]
    Classification: Unclassified

Apache 2.4.4 will segfault if you have a log field containing the request's END
time (LogFormat "... %{end:msec}t ...") and you send it an invalid request.
Several 400-series errors seem to do the trick:
  - 404 not found
  - 400 bad request after sending a MOVE with no Destination:
  - 403 unauthorized

The crash is completely repeatable.

The crash is in get_request_end_time(). It successfully retrieves
'log_request_state *state' from the request record, but state is NULL, and
Apache crashes when it tries to read state->request_end_time. Here's the
backtrace:


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000100068d6d in get_request_end_time ()
(gdb) bt
#0  0x0000000100068d6d in get_request_end_time ()
#1  0x0000000100068e9d in log_request_time ()
#2  0x0000000100069ea0 in process_item ()
#3  0x000000010006a188 in config_log_transaction ()
#4  0x000000010006a407 in multi_log_transaction ()
#5  0x000000010002aa45 in ap_run_log_transaction ()
#6  0x000000010003c60a in eor_bucket_cleanup ()
#7  0x0000000100465661 in run_cleanups ()
#8  0x00000001004644c5 in apr_pool_destroy ()
#9  0x000000010003c753 in eor_bucket_destroy ()
#10 0x000000010003ded0 in remove_empty_buckets ()
#11 0x000000010003de75 in send_brigade_nonblocking ()
#12 0x000000010003df4c in send_brigade_blocking ()
#13 0x000000010003d87a in ap_core_output_filter ()
#14 0x0000000100022153 in ap_pass_brigade ()
#15 0x000000010005b9a8 in ap_process_request ()
#16 0x000000010005744f in ap_process_http_sync_connection ()
#17 0x000000010005754a in ap_process_http_connection ()
#18 0x000000010001995a in ap_run_process_connection ()
#19 0x0000000100019e2b in ap_process_connection ()
#20 0x00000001000e24d8 in child_main ()
#21 0x00000001000e25e4 in make_child ()
#22 0x00000001000e2c5d in prefork_run ()
#23 0x000000010001c4d1 in ap_run_mpm ()
#24 0x000000010000d978 in main ()

(Actually I first hit this on SSL connections, so there were a few SSL-related
stack frames in there, but turning off SSL and using plain HTTP does not affect
the crash.)

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to