On Thu, Nov 11, 2021 at 04:29:58PM +0100, Otto Moerbeek wrote: > On Thu, Nov 11, 2021 at 04:13:37PM +0100, Florian Obser wrote: > > > > > No idea how to reproduce this, I'm just running an httpd with debug > > symbols and kern.nosuidcoredump=3 > > Pretty sure this is the crash various people mumbled about. > > > > Smells like a use-after-fruit to me. > > In server_http.c:351 desc->http_query is set to point in the middle of > a string. In the cases of goto fail belows that it will not be
and goto abort > strdupped. A free of desc->http_query then later bombs. > > -Otto > > > > > > Core was generated by `httpd'. > > Program terminated with signal SIGABRT, Aborted. > > #0 thrkill () at /tmp/-:3 > > 3 /tmp/-: No such file or directory. > > (gdb) bt > > #0 thrkill () at /tmp/-:3 > > #1 0x000009d1979a211e in _libc_abort () at > > /usr/src/lib/libc/stdlib/abort.c:51 > > #2 0x000009d19798a726 in wrterror (d=0x9d230d35980, > > msg=0x9d19795b05d "modified chunk-pointer %p") > > at /usr/src/lib/libc/stdlib/malloc.c:307 > > #3 0x000009d19798e0cc in find_chunknum (d=0x0, info=<optimized out>, > > ptr=0x0, > > check=-236688) at /usr/src/lib/libc/stdlib/malloc.c:1063 > > #4 0x000009d19798ac89 in ofree (argpool=0x7f7ffffc66b0, p=0x9d1884d6a07, > > clear=0, check=<optimized out>, argsz=0) > > at /usr/src/lib/libc/stdlib/malloc.c:1409 > > #5 0x000009d19798a96b in free (ptr=0x9d1884d6a07) > > at /usr/src/lib/libc/stdlib/malloc.c:1470 > > #6 0x000009cf5d137288 in server_httpdesc_free (desc=0x9d1ff641600) > > at /usr/src/usr.sbin/httpd/server_http.c:113 > > #7 0x000009cf5d13c1a1 in server_close_http (clt=0x9d1ff645000) > > at /usr/src/usr.sbin/httpd/server_http.c:1088 > > #8 0x000009cf5d133afc in server_close (clt=0x9d1ff645000, > > msg=0x9d1ff633380 "malformed (400 Bad Request)") > > at /usr/src/usr.sbin/httpd/server.c:1306 > > #9 0x000009cf5d13890d in server_abort_http (clt=0x9d1ff645000, code=400, > > msg=0x9cf5d113dea "malformed") > > at /usr/src/usr.sbin/httpd/server_http.c:1077 > > #10 0x000009cf5d137c13 in server_read_http (bev=0x9d1ff61b800, > > arg=0x9d1ff645000) at /usr/src/usr.sbin/httpd/server_http.c:366 > > --Type <RET> for more, q to quit, c to continue without paging-- > > #11 0x000009d1f3766f29 in bufferevent_readcb (fd=<optimized out>, > > event=<optimized out>, arg=0x9d1ff61b800) > > at /usr/src/lib/libevent/evbuffer.c:140 > > #12 0x000009d1f3765b9f in event_process_active (base=0x9d1884c5c00) > > at /usr/src/lib/libevent/event.c:333 > > #13 event_base_loop (base=0x9d1884c5c00, flags=0) > > at /usr/src/lib/libevent/event.c:483 > > #14 0x000009cf5d131a11 in proc_run (ps=0x9d1884cc800, p=0x9cf5d148a70 > > <procs>, > > procs=0x9cf5d148b90 <procs>, nproc=2, run=0x9cf5d132100 <server_init>, > > arg=0x0) at /usr/src/usr.sbin/httpd/proc.c:604 > > #15 0x000009cf5d1320d2 in server (ps=0x9d1884cc800, p=0x9cf5d148a70 <procs>) > > at /usr/src/usr.sbin/httpd/server.c:87 > > #16 0x000009cf5d1303c5 in proc_init (ps=0x9d1884cc800, > > procs=0x9cf5d148a70 <procs>, nproc=2, debug=0, argc=5, > > argv=0x7f7ffffd6de8, proc_id=PROC_SERVER) > > at /usr/src/usr.sbin/httpd/proc.c:260 > > #17 0x000009cf5d1276f1 in main (argc=0, argv=0x7f7ffffd6de8) > > at /usr/src/usr.sbin/httpd/httpd.c:220 > > > > -- > > I'm not entirely sure you are real. > > >
