httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Akins <bak...@web.turner.com>
Subject Re: malformed header causes segfault
Date Tue, 14 Oct 2003 17:39:02 GMT
On Tue, 2003-10-14 at 12:26, Brian Akins wrote:

> > I figure out if I send a "/" in the Host header this will be triggered. 
> > It seems to be in mod_include  can anyone else reproduce this?
> 
> Someone else confirmed on a couple of installs.  This seems to only
> happen when AddOutputFilterByType INCLUDES text/html ... is used.

Here's the backtrace:
#0  0x402558f3 in strrchr () from /lib/i686/libc.so.6
#1  0x08180000 in ?? ()
#2  0x4031595b in add_include_vars (r=0x817edf0, timefmt=0x4031d614 "%A,
%d-%b-%Y %H:%M:%S %Z") at mod_include.c:158
#3  0x4031c4fd in includes_filter (f=0x8180000, b=0x8180050) at
mod_include.c:3399
#4  0x0807ebe3 in ap_pass_brigade (next=0x8180000, bb=0x8180050) at
util_filter.c:550
#5  0x08081dce in ap_old_write_filter (f=0x8180038, bb=0x8180050) at
protocol.c:1321
#6  0x0807ebe3 in ap_pass_brigade (next=0x8180038, bb=0x8180190) at
util_filter.c:550
#7  0x080814ae in end_output_stream (r=0x817edf0) at protocol.c:1039
#8  0x0808151b in ap_finalize_request_protocol (r=0x817edf0) at
protocol.c:1061
#9  0x080697e5 in ap_send_error_response (r=0x817edf0,
recursive_error=0) at http_protocol.c:2423
#10 0x08081050 in ap_read_request (conn=0x817ae50) at protocol.c:904
#11 0x080650eb in ap_process_http_connection (c=0x817ae50) at
http_core.c:286
#12 0x0807c1ef in ap_run_process_connection (c=0x817ae50) at
connection.c:85
#13 0x0807c5e6 in ap_process_connection (c=0x817ae50, csd=0x817ad70) at
connection.c:211
#14 0x0806c819 in process_socket (p=0x817ad38, sock=0x817ad70,
my_child_num=0, my_thread_num=0,
    bucket_alloc=0x8132128) at worker.c:632
#15 0x0806d047 in worker_thread (thd=0x81082c0, dummy=0x80e1af0) at
worker.c:947
#16 0x40111d60 in dummy_worker (opaque=0x81082c0) at thread.c:127
#17 0x40125c6f in pthread_start_thread (arg=0x407c7be0) at manager.c:279


Here's that code:
static void add_include_vars(request_rec *r, char *timefmt)
{
    apr_table_t *e = r->subprocess_env;
    char *t;

    apr_table_setn(e, "DATE_LOCAL", LAZY_VALUE);
    apr_table_setn(e, "DATE_GMT", LAZY_VALUE);
    apr_table_setn(e, "LAST_MODIFIED", LAZY_VALUE);
    apr_table_setn(e, "DOCUMENT_URI", r->uri);
    if (r->path_info && *r->path_info) {
        apr_table_setn(e, "DOCUMENT_PATH_INFO", r->path_info);
    }
    apr_table_setn(e, "USER_NAME", LAZY_VALUE);
    if ((t = strrchr(r->filename, '/'))) {
        apr_table_setn(e, "DOCUMENT_NAME", ++t);
    }
    else {
        apr_table_setn(e, "DOCUMENT_NAME", r->uri);
    }
    if (r->args) {
        char *arg_copy = apr_pstrdup(r->pool, r->args);

        ap_unescape_url(arg_copy);
        apr_table_setn(e, "QUERY_STRING_UNESCAPED",
                  ap_escape_shell_cmd(r->pool, arg_copy));
    }
}


Looks like r->filename is NULL because it was an Invalid request....

Thoughts?
-- 
Brian Akins <bakins@web.turner.com>
CNN Internet Technologies


Mime
View raw message