Thanks for the report.
I will commit version 2 soon, I am working on it actively now. It uses
thread-per-connection model, and I am sure this bug will go away.
On Wed, Nov 26, 2008 at 3:47 PM, Antonio Aguilar
<[EMAIL PROTECTED]>wrote:
> Hello all,
>
> While testing shttpd for transferring files, I think I may have found a
> vulnerability-bug in the standalone server.
>
> When using 'curl' to fetch a large file from shttpd, if I suddenly
> interrupt the transfer using CTRL+C, shttpd becomes unstable.
>
> When I interrupt curl I get a list of 'listening' messages (using _DEBUG
> mode)
>
> FD_SET(3) (listening)
> select: 9
> FD_SET(3) (listening)
> select: 9
> FD_SET(3) (listening)
> select: 9
> FD_SET(3) (listening)
> select: 9
> FD_SET(3) (listening)
> select: 9
> FD_SET(3) (listening)
> select: 9
>
> after this shttpd seems to get 'stuck' and accepts connections but
> doesn't serve them.
>
> Similar behaviour was triggered when using jigdo.
>
> Note that this problem doesn't happen when using wget or axel.
>
> My guess is that it has something to do with the 'resumed downloads'
> feature or curl/jigdo but I have not explored this in more detail.
>
> Could you please confirm you also get this behaviour, my system setup
> and how to duplicate the bug is listed below,
>
> Best regards,
>
> Antonio.
>
>
> This is my system setup:
>
> Linux Ubuntu 8.10, kernel 2.6.27-7-generic
> shttpd 1.42 (latest source)
> compiled with `LIBS="-ldl -lpthread" CFLAGS="-D_DEBUG" make unix`
> in this build, libssl seems to be enabled by default.
>
> These are the steps duplicate the vulnerability-bug:
>
> 1) run shttpd in standalone mode and configure -root to a folder where
> you have large file > 100Mb (e.g. a movie, iso image, etc.).
>
> $ sudo ./shttpd -ports 80 -root ./website/ (has movie.avi 700M file)
>
> Note: that shttpd will printout many of debug messages
>
> 2) use the curl client to download the file and interrupt curl after few
> seconds (CTRL+C)
>
> $ curl http://localhost/movie.avi > movie.avi
>
> or you can also use jigdo
>
> $ jigdo http://localhost/movie.avi
>
> (you should get something like this)
>
> $ curl http://localhost/movie.avi > movie.avi
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 6 707M 6 43.8M 0 0 26.6M 0 0:00:26 0:00:01
> 0:00:25 26.7M^C
>
> (curl is interrupted - ^C)
>
> (check in shttpd console for debug messages)
>
> (try using wget or your web browser to view or download a page/file)
>
> $ wget http://localhost/movie.avi
> --2008-11-26 16:12:17-- http://localhost/movie.avi
> Resolving localhost... 127.0.0.1
> Connecting to localhost|127.0.0.1|:80... connected.
> HTTP request sent, awaiting response... ^C
>
> (connection hangs).
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> shttpd-general mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shttpd-general
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
