Bug 23836

Summary: Malformed host headers causes mod_include to seg fault
Product: Apache httpd-2 Reporter: M. Brian Akins <bakins>
Component: mod_includeAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: critical    
Priority: P3    
Version: 2.0.47   
Target Milestone: ---   
Hardware: All   
OS: other   

Description M. Brian Akins 2003-10-15 13:10:15 UTC
AddOutputFilterByType INCLUDES text/html text/plain

Send "/" in host header.  Seg fault...

In function add_include_vars()

Quick fix: 

--- mod_include.c.orig	Tue Oct 14 13:54:43 2003
+++ mod_include.c	Tue Oct 14 13:44:23 2003
@@ -3353,7 +3353,7 @@
     include_server_config *sconf= ap_get_module_config(r->server->module_config,
-    if (!(ap_allow_options(r) & OPT_INCLUDES)) {
+    if (!(ap_allow_options(r) & OPT_INCLUDES) || (r->status == HTTP_BAD_REQUEST)) {
         return ap_pass_brigade(f->next, b);

Here's the backtrace:
#0  0x402558f3 in strrchr () from /lib/i686/libc.so.6
#1  0x08180000 in ?? ()
#2  0x4031595b in add_include_vars (r=0x817edf0, timefmt=0x4031d614 "%A,%d-%b-%Y
%H:%M:%S %Z") at mod_include.c:158
#3  0x4031c4fd in includes_filter (f=0x8180000, b=0x8180050) atmod_include.c:3399
#4  0x0807ebe3 in ap_pass_brigade (next=0x8180000, bb=0x8180050) atutil_filter.c:550
#5  0x08081dce in ap_old_write_filter (f=0x8180038, bb=0x8180050) atprotocol.c:1321
#6  0x0807ebe3 in ap_pass_brigade (next=0x8180038, bb=0x8180190) atutil_filter.c:550
#7  0x080814ae in end_output_stream (r=0x817edf0) at protocol.c:1039
#8  0x0808151b in ap_finalize_request_protocol (r=0x817edf0) atprotocol.c:1061
#9  0x080697e5 in ap_send_error_response (r=0x817edf0,recursive_error=0) at
#10 0x08081050 in ap_read_request (conn=0x817ae50) at protocol.c:904
#11 0x080650eb in ap_process_http_connection (c=0x817ae50) athttp_core.c:286
#12 0x0807c1ef in ap_run_process_connection (c=0x817ae50) atconnection.c:85
#13 0x0807c5e6 in ap_process_connection (c=0x817ae50, csd=0x817ad70)
#14 0x0806c819 in process_socket (p=0x817ad38, sock=0x817ad70,my_child_num=0,
my_thread_num=0,    bucket_alloc=0x8132128) at worker.c:632
#15 0x0806d047 in worker_thread (thd=0x81082c0, dummy=0x80e1af0) atworker.c:947
#16 0x40111d60 in dummy_worker (opaque=0x81082c0) at thread.c:127
#17 0x40125c6f in pthread_start_thread (arg=0x407c7be0) at manager.c:279
Comment 1 Jeff Trawick 2003-10-23 18:05:17 UTC
A different patch was committed to 2.1-dev and has been approved for stable branch.