Bug 54828

Summary: Segfault in get_request_end_time() after a failed request
Product: Apache httpd-2 Reporter: Wim Lewis <wiml>
Component: mod_log_configAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: major Keywords: FixedInTrunk, PatchAvailable
Priority: P2    
Version: 2.4.4   
Target Milestone: ---   
Hardware: Macintosh   
OS: All   

Description Wim Lewis 2013-04-11 00:12:30 UTC
Apache 2.4.4 will segfault if you have a log field containing the request's END time (LogFormat "... %{end:msec}t ...") and you send it an invalid request. Several 400-series errors seem to do the trick:
  - 404 not found
  - 400 bad request after sending a MOVE with no Destination:
  - 403 unauthorized

The crash is completely repeatable.

The crash is in get_request_end_time(). It successfully retrieves 'log_request_state *state' from the request record, but state is NULL, and Apache crashes when it tries to read state->request_end_time. Here's the backtrace:


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000100068d6d in get_request_end_time ()
(gdb) bt
#0  0x0000000100068d6d in get_request_end_time ()
#1  0x0000000100068e9d in log_request_time ()
#2  0x0000000100069ea0 in process_item ()
#3  0x000000010006a188 in config_log_transaction ()
#4  0x000000010006a407 in multi_log_transaction ()
#5  0x000000010002aa45 in ap_run_log_transaction ()
#6  0x000000010003c60a in eor_bucket_cleanup ()
#7  0x0000000100465661 in run_cleanups ()
#8  0x00000001004644c5 in apr_pool_destroy ()
#9  0x000000010003c753 in eor_bucket_destroy ()
#10 0x000000010003ded0 in remove_empty_buckets ()
#11 0x000000010003de75 in send_brigade_nonblocking ()
#12 0x000000010003df4c in send_brigade_blocking ()
#13 0x000000010003d87a in ap_core_output_filter ()
#14 0x0000000100022153 in ap_pass_brigade ()
#15 0x000000010005b9a8 in ap_process_request ()
#16 0x000000010005744f in ap_process_http_sync_connection ()
#17 0x000000010005754a in ap_process_http_connection ()
#18 0x000000010001995a in ap_run_process_connection ()
#19 0x0000000100019e2b in ap_process_connection ()
#20 0x00000001000e24d8 in child_main ()
#21 0x00000001000e25e4 in make_child ()
#22 0x00000001000e2c5d in prefork_run ()
#23 0x000000010001c4d1 in ap_run_mpm ()
#24 0x000000010000d978 in main ()

(Actually I first hit this on SSL connections, so there were a few SSL-related stack frames in there, but turning off SSL and using plain HTTP does not affect the crash.)
Comment 1 Rainer Jung 2013-04-14 11:19:15 UTC
Fixed for trunk in r1467765.
Will propose for backport to 2.4.x.

Could you please verify the patch?
It is available at

    http://people.apache.org/~rjung/patches/httpd-2_4-request_end_time.patch

or

    http://svn.apache.org/viewvc?view=revision&revision=r1467765

Thanks!

Rainer
Comment 2 Wim Lewis 2013-04-15 22:37:46 UTC
The patch applies cleanly to 2.4.4 and fixes the crash, at least for the causes I had isolated earlier. Thanks!
Comment 3 Rainer Jung 2013-04-16 07:45:51 UTC
Fixed in 2.4.x in r1467981. Will be part of 2.4.5.
Comment 4 Graham Leggett 2013-04-30 14:10:46 UTC
Fixed in v2.4.5.