AOLserver

Tracker: Bugs

7 empty HTTPS request causes null ptr deref - ID: 1012892

Last Update: Comment added ( dossy )

Details:

Using:
AOLserver 4.1.0a (HEAD)
nsopenssl 3.0 beta (HEAD)
OpenSSL 0.9.7d 17 Mar 2004
ix86 Debian 3.0

Server can be crashed by sending an empty HTTP
request, by doing something like:

$ echo "" | openssl s_client -connect hostname:8443

Backtrace looks like:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1088261040 (LWP 15192)]
0x4003701b in SetupConn (connPtr=0x80d4320) at
driver.c:1813
1813 if (hdr == NULL && connPtr->request->version
>= 1.1) {
(gdb) bt
#0 0x4003701b in SetupConn (connPtr=0x80d4320) at
driver.c:1813
#1 0x40036c19 in SockRead (drvPtr=0x8099c88,
sockPtr=0x80a659c)
at driver.c:1624
#2 0x400379a1 in ReaderThread (arg=0x8099c88) at
driver.c:2151
#3 0x40078f45 in NsThreadMain (arg=0x80d3720) at
thread.c:224
#4 0x4007a87a in ThreadMain (arg=0x80d3720) at
pthread.c:730
#5 0x4013e9b4 in start_thread ()
from /lib/tls/libpthread.so.0
#6 0x00000000 in ?? ()

What's happening is connPtr->request == NULL. While
it'd be easy to add another condition to test for that,
what bothers me is when connecting via normal HTTP,
connPtr->request is NOT NULL on an empty HTTP
request. I am guessing that nsopenssl, on empty HTTP
request, doesn't allocate an empty/initialized Req
structure and stuff it in connPtr->request.

Submitted:

Dossy Shiobara ( dossy ) - 2004-08-20 13:35

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Dossy Shiobara

Category:

Protocol: HTTPS

Group:

aolserver_v41

Visibility:

Public

Comments ( 6 )

Date: 2004-08-25 21:18 Sender: dossy Logged In: YES user_id=21885 Bruno Mattarollo confirms that the latest nsopenssl patch makes the problem no longer reproducible on his test system where he was previously able to reliably reproduce the issue of nsopenssl connections using up 100% CPU. Patches to AOLserver 4.1.0a (HEAD), 4.0.8a (aolserver_v40_bp branch) and nsopenssl 3.0 beta (HEAD) have been commited. Will be part of nsopenssl v3_0beta22 tag. Closing this ticket.
Date: 2004-08-24 20:09 Sender: dossy Logged In: YES user_id=21885 I've gone through and cleaned up nsopenssl and am attaching the patch dated 20040824 to this ticket. This, coupled with the version-specific patches for AOLserver, should fix the 100% CPU utilization issue folks have been seeing. The root cause (from what I could tell) was that the connection was flagged for HTTP Keep-Alive, but in the case where the peer closed the connection (hit "stop" in the browser before the response was fully sent), the driver was returning the (dead) connection for keep-alive when it shouldn't have.
Date: 2004-08-23 05:11 Sender: dossy Logged In: YES user_id=21885 Small bug in the first 4.0.8a patch causes the server to not respond to requests at all -- oops. Uploading corrected patch dated 2004/08/23.
Date: 2004-08-20 21:33 Sender: dossy Logged In: YES user_id=21885 Attaching proposed fix against 4.0.8a (aolserver_v40_bp branch) which will correct the issue described in my comment dated 2004-08-20 15:39. It also resolves another bug where a non-"async" driver (such as nsopenssl) doesn't properly close the connection from ConnRun() when a malformed HTTP request is received.
Date: 2004-08-20 19:46 Sender: dossy Logged In: YES user_id=21885 Attaching proposed fix against HEAD for 4.1.0a. Not completely happy with it and I'm not even sure setting sockPtr->state = SOCK_CLOSEWAIT is the right thing to do, but it does fix the bug.
Date: 2004-08-20 19:39 Sender: dossy Logged In: YES user_id=21885 This crash bug does not exist in the 4.0.x code, fortunately. However, there's another "bug" in the 4.0.x code, relating to: nsd/driver.c: 1488 if (e == s) { 1489 /* Look for a blank line on its own prior to any "real" 1490 * data. We eat up to 2 of these before closing the 1491 * connection. 1492 */ 1493 if (bufPtr->length == 2 && e[0] == '\r' && e [1] == '\n') { Using "telnet" to test nssock, and "openssl s_client" to test nsopenssl, I found that hitting <enter> in telnet sends a "\r\n" while "openssl s_client" sends just "\n". So, on 4.0.x and an nsopenssl connection, you can send as many blank lines as you want ...

Attached Files ( 4 )

Filename	Description	Download
bug-1012892-v410a-patch.txt	patch against HEAD for 4.1.0a	Download
bug-1012892-v408a-patch.txt	patch against aolserver_v40_bp branch for 4.0.8a	Download
bug-1012892-v408a-patch-20040823.txt	patch against aolserver_v40_bp branch for 4.0.8a - 20040823	Download
bug-1012892-nsopenssl-patch.txt	patch against nsopenssl HEAD - 20040824	Download

Changes ( 10 )

Field	Old Value	Date	By
close_date	-	2004-08-25 21:18	dossy
resolution_id	None	2004-08-25 21:18	dossy
status_id	Open	2004-08-25 21:18	dossy
File Added	99024: bug-1012892-nsopenssl-patch.txt	2004-08-24 20:09	dossy
File Added	98750: bug-1012892-v408a-patch-20040823.txt	2004-08-23 05:11	dossy
File Added	98546: bug-1012892-v408a-patch.txt	2004-08-20 21:39	dossy
File Added	98545: bug-1012892-v410a-patch.txt	2004-08-20 21:38	dossy
assigned_to	scottg	2004-08-20 19:39	dossy
priority	5	2004-08-20 19:39	dossy
artifact_group_id	aolserver_v40	2004-08-20 19:39	dossy

AOLserver

Tracker: Bugs

Comments ( 6 )

Attached Files ( 4 )

Changes ( 10 )

About SourceForge

Find Software

Develop Software

Community

Help