Bug#895595: lighttpd: Segmentation fault on HTTP chunked input when mod_fastcgi is enabled

Fri, 13 Apr 2018 01:27:26 -0700 

Source: lighttpd
Version: 1.4.45-1
Severity: important

Dear Maintainer,

While serving Ookla Speedtest HTTP legacy fallback service with lighttpd, the 
lighttpd 1.4.45-1 (latest stable) segfaults several times an hour.

Apr 12 15:30:18 systemd[1]: lighttpd.service: Main process exited, code=killed, 
status=11/SEGV
Apr 12 15:30:18 systemd[1]: lighttpd.service: Unit entered failed state.
Apr 12 15:30:18 systemd[1]: lighttpd.service: Failed with result 'signal'.
Apr 12 15:30:18 systemd[1]: lighttpd.service: Service hold-off time over, 
scheduling restart.

(request.c.436) fd: 9 request-len: 367 \nPOST 
/speedtest/upload.php?x=1523552422398. HTTP/1.1\r\nAccept-Encoding: 
identity\r\nContent-Type: 
application/x-www-form-urlencoded\r\nTransfer-Encoding: chunked\r\n\r\n
(log.c.217) server started


Root cause looks to be Lighttpd bug, which has been resolved in 1.4.46:
https://redmine.lighttpd.net/issues/2822


If the speedtest-cli client is performing the common test towards the Lighttpd, 
then after several POST messages lighttpd instance crashes with SEGV.

2018-04-13 10:00:19: (request.c.436) fd: 16 request-len: 367 \nPOST 
/speedtest/upload.php?x=1523602817877. HTTP/1.1\r\nAccept-Encoding: 
identity\r\nContent-Type: 
application/x-www-form-urlencoded\r\nTransfer-Encoding: chunked\r\nHost: 
speedtest.host.url\r\nUser-Agent: Mozilla/5.0 (FreeBSD; U; 64bit; en-us) 
Python/3.6.5 (KHTML, like Gecko) speedtest-cli/1.0.7\r\nCache-Control: 
no-cache\r\nConnection: close\r\n\r\n 
2018-04-13 10:00:19: (response.c.350) -- splitting Request-URI 
2018-04-13 10:00:19: (response.c.351) Request-URI     :  
/speedtest/upload.php?x=1523602817877. 
2018-04-13 10:00:19: (response.c.352) URI-scheme      :  http 
2018-04-13 10:00:19: (response.c.353) URI-authority   :  speedtest.host.url
2018-04-13 10:00:19: (response.c.354) URI-path (raw)  :  /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.355) URI-path (clean):  /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.356) URI-query       :  x=1523602817877. 
2018-04-13 10:00:19: (mod_access.c.148) -- mod_access_uri_handler called 
2018-04-13 10:00:19: (response.c.490) -- before doc_root 
2018-04-13 10:00:19: (response.c.491) Doc-Root     : /var/www/html 
2018-04-13 10:00:19: (response.c.492) Rel-Path     : /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.493) Path         :  
2018-04-13 10:00:19: (response.c.542) -- after doc_root 
2018-04-13 10:00:19: (response.c.543) Doc-Root     : /var/www/html 
2018-04-13 10:00:19: (response.c.544) Rel-Path     : /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.545) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.562) -- logical -> physical 
2018-04-13 10:00:19: (response.c.563) Doc-Root     : /var/www/html 
2018-04-13 10:00:19: (response.c.564) Basedir      : /var/www/html 
2018-04-13 10:00:19: (response.c.565) Rel-Path     : /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.566) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.583) -- handling physical path 
2018-04-13 10:00:19: (response.c.584) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.591) -- file found 
2018-04-13 10:00:19: (response.c.592) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.753) -- handling subrequest 
2018-04-13 10:00:19: (response.c.754) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (mod_access.c.148) -- mod_access_uri_handler called 
2018-04-13 10:00:19: (mod_fastcgi.c.3500) handling it in mod_fastcgi 
2018-04-13 10:00:19: (connections-glue.c.403) chunked data size too large -> 
400 
2018-04-13 10:00:19: (response.c.122) Response-Header: \nHTTP/1.1 400 Bad 
Request\r\nContent-Type: text/html\r\nContent-Length: 349\r\nConnection: 
close\r\nDate: Fri, 13 Apr 2018 07:00:19 GMT\r\nServer: lighttpd/1.4.45\r\n\r\n 
2018-04-13 10:00:19: (request.c.436) fd: 18 request-len: 367 \nPOST 
/speedtest/upload.php?x=1523602817933. HTTP/1.1\r\nAccept-Encoding: 
identity\r\nContent-Type: 
application/x-www-form-urlencoded\r\nTransfer-Encoding: chunked\r\nHost: 
speedtest.host.url\r\nUser-Agent: Mozilla/5.0 (FreeBSD; U; 64bit; en-us) 
Python/3.6.5 (KHTML, like Gecko) speedtest-cli/1.0.7\r\nCache-Control: 
no-cache\r\nConnection: close\r\n\r\n 
2018-04-13 10:00:19: (response.c.350) -- splitting Request-URI 
2018-04-13 10:00:19: (response.c.351) Request-URI     :  
/speedtest/upload.php?x=1523602817933. 
2018-04-13 10:00:19: (response.c.352) URI-scheme      :  http 
2018-04-13 10:00:19: (response.c.353) URI-authority   :  speedtest.host.url
2018-04-13 10:00:19: (response.c.354) URI-path (raw)  :  /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.355) URI-path (clean):  /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.356) URI-query       :  x=1523602817933. 
2018-04-13 10:00:19: (mod_access.c.148) -- mod_access_uri_handler called 
2018-04-13 10:00:19: (response.c.490) -- before doc_root 
2018-04-13 10:00:19: (response.c.491) Doc-Root     : /var/www/html 
2018-04-13 10:00:19: (response.c.492) Rel-Path     : /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.493) Path         :  
2018-04-13 10:00:19: (response.c.542) -- after doc_root 
2018-04-13 10:00:19: (response.c.543) Doc-Root     : /var/www/html 
2018-04-13 10:00:19: (response.c.544) Rel-Path     : /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.545) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.562) -- logical -> physical 
2018-04-13 10:00:19: (response.c.563) Doc-Root     : /var/www/html 
2018-04-13 10:00:19: (response.c.564) Basedir      : /var/www/html 
2018-04-13 10:00:19: (response.c.565) Rel-Path     : /speedtest/upload.php 
2018-04-13 10:00:19: (response.c.566) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.583) -- handling physical path 
2018-04-13 10:00:19: (response.c.584) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.591) -- file found 
2018-04-13 10:00:19: (response.c.592) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (response.c.753) -- handling subrequest 
2018-04-13 10:00:19: (response.c.754) Path         : 
/var/www/html/speedtest/upload.php 
2018-04-13 10:00:19: (mod_access.c.148) -- mod_access_uri_handler called 
2018-04-13 10:00:19: (mod_fastcgi.c.3500) handling it in mod_fastcgi 
2018-04-13 10:00:19: (log.c.217) server started 



-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=et_EE.UTF-8, LC_CTYPE=et_EE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply via email to