We recently upgraded to mod_perl 2.0.11 and I found this bug was still in there.  My original report had been sent in June 2018 to modp...@perl.apache.org and maybe it fell in the bit bucket.  The instructions at https://perl.apache.org/docs/2.0/user/help/help.html#Reporting_Problems said to send it to the mod_perl users list but the response from that group was to come here.

We're running Apache 2.4 on Centos.

- - -

Greetings.  I have a hard time believing that I have found a bug in this, but the evidence is difficult to deny.

We have customized mod_perl to patch post_config() in PerlSections.pm so that it writes out the directives to a file, because we use a dynamic configuration that mod_perl runs using database queries.  This patch lets us see the actual configuration Apache was given.

We started getting nonsensical syntax errors during apachectl -t and narrowed this down to when a ServerAlias line exceeded a certain length.  The config file as written out was correct so eventually I instrumented svav_getstr to write out the strings it was returning to ap_build_config().  I got it to write out the bufsiz and buf. Extract:

bufsiz = 207, buf = ServerAlias new new.jpl.nasa.gov lug lug.jpl.nasa.gov uavsarwiki uavsarwiki.jpl.nasa.gov m2020mobility m2020mobility.jpl.nasa.gov sec274 sec274.jpl.nasa.gov dhac dhac.jpl.nasa.gov mediawiki mediawiki.jpl.na
bufsiz = 209, buf = <Directory /websites/redirectinternal/www>

Shortly after this Apache complained about seeing </Directory> when it was expecting </VirtualHost>. You can see that the bufsiz passed is only 207, and the ServerAlias line is truncated (there was another 100+ bytes).  I assumed that it was concatenating the <Directory> line onto it so that it never saw the <Directory> opening directive.

I fixed this by patching svav_getstr to recognize whether SvPVX(sv) was longer than bufsiz and saving the remainder for the next call. That code is so horrible that the only reason I am attaching it is in the hope that it motivates someone to create a proper patch so that no one sees my message as the final word on this subject in this thread. It has however fixed our problem without (yet) introducing any others.

Why Apache calls this with such silly small buffer sizes is beyond me, but it seems to be coming from VARBUF_INIT_LEN being set to 200 in server/config.c.  It seems to grow the buffer size only when it thinks it needs to.

So the bottom line is that svav_getstr does not deal with the possibility of a line being longer than bufsiz, and it is in practice called with bufsiz being a tiny number.  It needs to be able to save the rest of a long line to return on the next call.

-------------8<---------- Start Bug Report ------------8<----------
1. Problem Description:


2. Used Components and their Configuration:

*** mod_perl version 2.000010

*** using /tmp/mod_perl/mod_perl-2.0.10/lib/Apache2/BuildConfig.pm

*** Makefile.PL options:
  MP_APR_LIB     => aprext
  MP_APXS        => /bin/apxs
  MP_COMPAT_1X   => 1
  MP_LIBNAME     => mod_perl
  MP_USE_DSO     => 1

*** The httpd binary was not found

*** (apr|apu)-config linking info

 -L/usr/lib64 -laprutil-1 -lldap_r  -llber -ldb-5.3   -lexpat -ldb-5.3
 -lapr-1  -lpthread -ldl

*** /usr/bin/perl -V
Summary of my perl5 (revision 5 version 16 subversion 3) configuration:

    osname=linux, osvers=3.10.0-514.16.1.el7.x86_64, archname=x86_64-linux-thread-multi     uname='linux c1bm.rdu2.centos.org 3.10.0-514.16.1.el7.x86_64 #1 smp wed apr 12 15:04:24 utc 2017 x86_64 x86_64 x86_64 gnulinux '     config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Dccdlflags=-Wl,--enable-new-dtags -Dlddlflags=-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wl,-z,relro -DDEBUGGING=-g -Dversion=5.16.3 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5 -Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl -Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl -Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Duseshrplib -Dusethreads -Duseithreads -Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dusesitecustomize'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',     optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic',     cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'     ccversion='', gccversion='4.8.5 20150623 (Red Hat 4.8.5-16)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -fstack-protector'
    libpth=/usr/local/lib64 /lib64 /usr/lib64
    libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=, so=so, useshrplib=true, libperl=libperl.so
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/perl5/CORE'     cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro '

Characteristics of this binary (from libperl):
                        USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
  Locally applied patches:
        Fedora Patch1: Removes date check, Fedora/RHEL specific
        Fedora Patch3: support for libdir64
        Fedora Patch4: use libresolv instead of libbind
        Fedora Patch5: USE_MM_LD_RUN_PATH
        Fedora Patch6: Skip hostname tests, due to builders not being network capable
        Fedora Patch7: Dont run one io test due to random builder failures
        Fedora Patch9: Fix find2perl to translate ? glob properly (RT#113054)
        Fedora Patch10: Fix broken atof (RT#109318)
        Fedora Patch13: Clear $@ before "do" I/O error (RT#113730)
        Fedora Patch14: Do not truncate syscall() return value to 32 bits (RT#113980)
        Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530)
        Fedora Patch16: Do not leak with attribute on my variable (RT#114764)         Fedora Patch17: Allow operator after numeric keyword argument (RT#105924)
        Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984)
        Fedora Patch19: Do not crash when vivifying $|
        Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)
        Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)
        Fedora Patch22: Fix leaking tied hashes (RT#107000) [1]
        Fedora Patch23: Fix leaking tied hashes (RT#107000) [2]
        Fedora Patch24: Fix leaking tied hashes (RT#107000) [3]
        Fedora Patch25: Fix dead lock in PerlIO after fork from thread (RT#106212)
        Fedora Patch26: Make regexp safe in a signal handler (RT#114878)
        Fedora Patch27: Update h2ph(1) documentation (RT#117647)
        Fedora Patch28: Update pod2html(1) documentation (RT#117623)
        Fedora Patch29: Document Math::BigInt::CalcEmu requires Math::BigInt (CPAN RT#85015)         RHEL Patch30: Use stronger algorithm needed for FIPS in t/op/crypt.t (RT#121591)
        RHEL Patch31: Make *DBM_File desctructors thread-safe (RT#61912)
        RHEL Patch32: Use stronger algorithm needed for FIPS in t/op/taint.t (RT#123338)
        RHEL Patch33: Remove CPU-speed-sensitive test in Benchmark test
        RHEL Patch34: Make File::Glob work with threads again
        RHEL Patch35: Fix CRLF conversion in ASCII FTP upload (CPAN RT#41642)         RHEL Patch36: Do not leak the temp utf8 copy of namepv (CPAN RT#123786)         RHEL Patch37: Fix duplicating PerlIO::encoding when spawning threads (RT#31923)
  Built under linux
  Compiled at Aug  2 2017 17:45:03

*** Packages of interest status:

Apache2            : -
Apache2::Request   : -
CGI                : -
ExtUtils::MakeMaker: 6.68
LWP                : -
mod_perl           : -
mod_perl2          : 2.000010

3. This is the core dump trace: (if you get a core dump):


This report was generated by t/REPORT on Thu May 24 21:06:51 2018 GMT.

-------------8<---------- End Bug Report --------------8<----------

Note: Complete the rest of the details and post this bug report to
modperl <at> perl.apache.org. To subscribe to the list send an empty
email to modperl-subscr...@perl.apache.org.

*** ./mod_perl-2.0.10/src/modules/perl/modperl_config.c 2016-10-27 
13:11:09.000000000 -0700
--- /webdata/mod_perl/mod_perl-2.0.10/src/modules/perl/modperl_config.c 
2018-06-04 16:11:33.931593422 -0700
*** 472,477 ****
--- 472,481 ----
      PerlInterpreter *perl;
  } svav_param_t;

+ char remaining_line[8192];
+ int remaining_length;
+ char *remaining_cp;
  #if AP_MODULE_MAGIC_AT_LEAST(20110329,0)
*** 494,503 ****

!     sv = AvARRAY(av)[svav_param->ix++];
!     SvPV_force(sv, n_a);
!     apr_cpystrn(buf, SvPVX(sv), bufsiz);

  #if AP_MODULE_MAGIC_AT_LEAST(20110329,0)
      return APR_SUCCESS;
--- 498,530 ----

!     if (  remaining_length > 0 )
!         {
!             apr_cpystrn( buf, remaining_cp, bufsiz );
!             remaining_length -= bufsiz-1;
!             remaining_cp += bufsiz-1;
!             if ( remaining_length < 0 )
!                 {
!                     remaining_length = 0;
!                     remaining_cp = remaining_line;
!                 }
!         }
!     else
!         {
!             sv = AvARRAY(av)[svav_param->ix++];
!             SvPV_force(sv, n_a);
!             apr_cpystrn( remaining_line, SvPVX(sv), 8191 );
!             remaining_length = strlen( remaining_line );
!             remaining_cp = remaining_line;
!             apr_cpystrn( buf, remaining_line, bufsiz );
!             remaining_length -= bufsiz-1;
!             remaining_cp += bufsiz-1;
!             if ( remaining_length < 0 )
!                 {
!                     remaining_length = 0;
!                     remaining_cp = remaining_line;
!                 }
!         }

  #if AP_MODULE_MAGIC_AT_LEAST(20110329,0)
      return APR_SUCCESS;
*** 558,564 ****
                                              svav_getstr, NULL);

      errmsg = ap_build_config(&parms, p, parms.temp_pool, &conftree);
      if (!errmsg) {
          errmsg = ap_walk_config(conftree, &parms, conf);
--- 585,590 ----
To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org
For additional commands, e-mail: dev-h...@perl.apache.org

Reply via email to