Ticket #471 (new Bug report)

Opened 5 months ago

Last modified 1 week ago

libhttpd crash on invalid HTTP headers

Reported by: anonymous Assigned to: wichert
Priority: high Milestone: Gateway 1.1.5
Component: Gateway Keywords:
Cc: spam-11-2007@wwwtech.de

Description

In libhttpd/api.c, line 532 you write:

cp = index(buf,':') + 2; if(cp) {

This is a really nasty bug: if index() returns NULL, cp becomes 2 and if(cp) only fails if index returns -2. This will never happen. Therefore you should write something like this:

cp = index(buf,':'); if(cp) {

cp += 2;

Greetings, CK

Attachments

Change History

05/29/08 09:04:30 changed by anonymous

What about this bug? It's really critical. Had non-reproducable crashes and it caused me about 2 hours to find it.

06/09/08 08:05:17 changed by anonymous

This bug caused our wifidog gateway (>1000 users) to crash every 5 to 20 minutes (non-reproducable, too). After patching, the gateway works like a charm.

06/29/08 18:18:09 changed by networkfusion

  • owner changed.
  • component changed from Auth server, Feature request to Gateway.
  • milestone changed from Not yet assigned to a Milestone to Gateway 1.1.5.

09/30/08 05:50:08 changed by wichert

  • priority changed from low to high.
  • owner set to wichert.

Your change does not make sense: Since the strncasecmp() call returned a match it is impossible for index to return anything but a sensible index. If it returns NULL the only possible reason is that your machine has bad memory which happened to flip a bit.

In fact since we know that strncasecmp returned a match we already know the exact index of the colon, so the whole test is senseless.

What would make sense is to test for *cp instead, ie test if there is an actual value specified in the HTTP host header. Could it be that you have incoming requests that contain an empty Host header?

09/30/08 05:50:28 changed by wichert

  • summary changed from Bug in libhttpd/api.c, line 532 to libhttpd crash on invalid HTTP headers.

09/30/08 08:32:28 changed by anonymous

I dunno. It's not my machine, I only searched for the bug. I didn't look for the sense of the code, I saw what the error was: index() (sic! not strncasecmp()) returned NULL and therefore cp was 2 and passed if(cp). That led to memory access at address 0 causing a segfault.

09/30/08 08:33:47 changed by anonymous

Memory access at address 2! not 0!

Add/Change #471 (libhttpd crash on invalid HTTP headers)