On Sun, May 14, 2017 at 10:05:37AM +0200, Jurjen Oskam wrote:
> Hi,
>
> httpd crashes with a segmentation violation when servicing requests with
> the following (minimal) config file:
>
> server "default" {
> listen on * port 80
> block return 401
> }
>
> It starts up OK, but on the first request this happens:
>
> # httpd -d -v -v
> startup
> server_privinit: adding server default
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> socket_rlimit: max open files 1024
> server_launch: configuring server default
> server_launch: running server default
> server_launch: configuring server default
> server_launch: running server default
> server_launch: configuring server default
> server_launch: running server default
> logger exiting, pid 88769
> lost child: pid 18355 terminated; signal 11
> server exiting, pid 90619
> server exiting, pid 37360
> parent terminating, pid 91332
>
>
> Altering the listening address or port results in the same symptom.
> Using other HTTP return codes (I've tried 402, 403, 404 and 405) does
> *not* result in a crash; these seem to work as expected.
>
> This happens on OpenBSD 6.0, 6.1 as well as -current.
>
> If I can do anything to diagnose/fix this, please let me know via a
> Cc:.
>
> Regards,
>
> Jurjen Oskam
Thanks for the report. The crash occurs when stravis(3) is passed a
NULL msg value.
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.116
diff -u -p -r1.116 server_http.c
--- server_http.c 16 Mar 2017 10:18:11 -0000 1.116
+++ server_http.c 14 May 2017 08:33:43 -0000
@@ -887,6 +887,8 @@ server_abort_http(struct client *clt, un
msg = buf;
break;
case 401:
+ if (msg == NULL)
+ break;
if (stravis(&escapedmsg, msg, VIS_DQ) == -1) {
code = 500;
extraheader = NULL;
@@ -898,6 +900,8 @@ server_abort_http(struct client *clt, un
}
break;
case 416:
+ if (msg == NULL)
+ break;
if (asprintf(&extraheader,
"Content-Range: %s\r\n", msg) == -1) {
code = 500;
