I am suddenly seeing a huge number of httpd coredumps (578 in the past three
hours, coming from only 10 unique IP addresses), all of them for the same cause:
```
(gdb) backtrace
#0 apr_strtok (str=0x7f3a8800fbc8 "88.54.217.50", sep=sep@entry=0x7f3aa9d62389
", ", last=last@entry=0x0) at strings/apr_strtok.c:46
#1 0x00007f3aa9d5b2da in delay_allowed (state=tileCurrent, r=0x7f3a8801a8d0)
at ./src/mod_tile.c:838
```
This is mod_tile passing the contents of X-Forwarded-For to apr_strtok, which
then barfs. I don't understand C, but I suspected a type mismatch in apr_strtok
expecting string and getting integer or vice versa. So I tried to convert hex
0x7f3a8800fbc8 and 0x7f3aa9d62389 to text, and got 저 and 褀 respectively with
UTF-16.
Now, I am not sure that these two hex values were actually sent to apr_strtok,
nor that my hex-to-UTF-16 conversion is the correct one, but it seems very
likely that these clients are sending garbage in their X-Forwarded-For. Which
is easy for anyone to do, accidentally or maliciously. And mod_tile does no
sanity check on X-Forwarded-For before passing to apr_strtok whatever it got
from the client.
Thus, a sanity check just before mod_tile.c:838 would make a lot of sense, even
if my troubleshooting is flawed somehow.
mod_tile 0.7.1, httpd 2.4.62.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/mod_tile/issues/473
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/mod_tile/issues/[email protected]>
_______________________________________________
Tile-serving mailing list
[email protected]
https://lists.openstreetmap.org/listinfo/tile-serving
