Bug 60275

Summary: [patch] segfault on ap_fcgi_encoded_env_len if an environment variable value is null
Product: Apache httpd-2 Reporter: alex2grad
Component: mod_proxy_fcgiAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: critical Keywords: FixedInTrunk, PatchAvailable
Priority: P2    
Version: 2.4.23   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: The patch which fixes segfault in ap_fcgi_encoded_env_len/ap_fcgi_encode_env

Description alex2grad 2016-10-18 22:02:07 UTC 
Created attachment 34388 [details]
The patch which fixes segfault in ap_fcgi_encoded_env_len/ap_fcgi_encode_env

If the value of environment variable is NULL then the next code in the function ap_fcgi_encoded_env_len causes segfault
----
vallen = strlen(elts[i].val);
----

The AUTHENTICATE_* environment variables could be NULL
if the a SQL query returns NULL values.

Attached patch fixes this issue.

The backtrace
=============
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f0649d04710 (LWP 12340)]
0x00007f0650bc09a2 in strlen () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f0650bc09a2 in strlen () from /lib64/libc.so.6
#1  0x00007f0653391530 in ap_fcgi_encoded_env_len ()
#2  0x00007f064ce4b88d in ?? () from /opt/lib/httpd/modules/mod_proxy_fcgi.so
#3  0x00007f064d25c732 in proxy_run_scheme_handler () from /opt/lib/httpd/modules/mod_proxy.so
#4  0x00007f064d261863 in ?? () from /opt/lib/httpd/modules/mod_proxy.so
#5  0x00007f0653388cc0 in ap_run_handler ()
#6  0x00007f065338d11e in ap_invoke_handler ()
#7  0x00007f06533a145a in ap_process_async_request ()
#8  0x00007f065339d561 in ?? ()
#9  0x00007f06533941f0 in ap_run_process_connection ()
#10 0x00007f064c36e485 in ?? () from /opt/lib/httpd/modules/mod_mpm_event.so
#11 0x00007f06510be980 in start_thread () from /lib64/libpthread.so.0
#12 0x00007f0650c23b3d in clone () from /lib64/libc.so.6
=============
Comment 1 Eric Covener 2016-12-21 16:13:55 UTC 
Thanks Alex, do you know if these are safe to be put in the environment passed down to the FCGI?  Curious if you've seen them listed out on the other side safely after the patch.
Comment 2 Eric Covener 2016-12-21 16:19:59 UTC 
commited with cosmetic changes to trunk and will propose for backport
Comment 3 alex2grad 2016-12-21 16:33:06 UTC 
(In reply to Eric Covener from comment #1)
> Thanks Alex, do you know if these are safe to be put in the environment
> passed down to the FCGI?  Curious if you've seen them listed out on the
> other side safely after the patch.

I use the $_SERVER["AUTHENTICATE_*"] variables in PHP-FPM.
This patch resolved the issue.