Return-Path: 
 <dev-return-49216-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 50424 invoked from network); 14 Sep 2005 19:54:37 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 14 Sep 2005 19:54:37 -0000
Received: (qmail 66739 invoked by uid 500); 14 Sep 2005 19:54:30 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 66655 invoked by uid 500); 14 Sep 2005 19:54:30 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 66624 invoked by uid 99); 14 Sep 2005 19:54:30 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Sep 2005 12:54:30 -0700
X-ASF-Spam-Status: No, hits=0.1 required=10.0
	tests=FORGED_RCVD_HELO
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [66.111.4.28] (HELO out4.smtp.messagingengine.com)
 (66.111.4.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Sep 2005 12:54:39 -0700
Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149])
	by frontend1.messagingengine.com (Postfix) with ESMTP id 915D7CCF433
	for <dev@httpd.apache.org>; Wed, 14 Sep 2005 15:54:26 -0400 (EDT)
Received: from frontend2.messagingengine.com ([10.202.2.151])
  by frontend1.internal (MEProxy); Wed, 14 Sep 2005 15:54:26 -0400
X-Sasl-enc: WPEGKi12wLaUnh8OfSFDmlpCRt+slxgsWkiZgLnOjuyG 1126727665
Received: from [132.211.187.132] (unknown [132.211.187.132])
	by frontend2.messagingengine.com (Postfix) with ESMTP id 869145703B5
	for <dev@httpd.apache.org>; Wed, 14 Sep 2005 15:54:25 -0400 (EDT)
Message-ID: <4328801F.10706@slive.ca>
Date: Wed, 14 Sep 2005 15:55:11 -0400
From: Joshua Slive <joshua@slive.ca>
User-Agent: Thunderbird 1.4 (Windows/20050908)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: mod_mbox still core dumping on ajax
References: <43287831.80203@slive.ca> <43287D15.4000107@force-elite.com>
In-Reply-To: <43287D15.4000107@force-elite.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N


Paul Querna wrote:
> Joshua Slive wrote:
>> There are now around 1700 core files in ajax:/raid1/httpd-cores
>> I see at least two separate bugs.
> 
> Can you post backtraces?  We fixed the crashes you posted back on 8/25.

Yes, but I did mention that there were others.

Three backtraces are attached below.  They all seem to be null-pointer 
related, and therefore probably not exploitable.  I hope.

Joshua.

#0  mbox_cache_get_count (mli=0x60000000001f57a0, 
count=0x60000fffffffa5d0, path=0x60000000001f6208 "200506.mbox")
     at mbox_cache.c:247
247             memcpy(count, nv.dptr, sizeof(int));
(gdb) where
#0  mbox_cache_get_count (mli=0x60000000001f57a0, 
count=0x60000fffffffa5d0, path=0x60000000001f6208 "200506.mbox")
     at mbox_cache.c:247
#1  0x200000000100e250 in show_index_file_info (r=0x600000000020cae0, 
mli=0x60000000001f57a0,
     path=0x60000000001f6208 "200506.mbox") at mod_mbox_index.c:84
#2  0x200000000100e8a0 in generate_mbox_index (r=0x600000000020cae0) at 
mod_mbox_index.c:187
#3  0x40000000000358f0 in ap_run_handler (r=0x600000000020cae0) at 
config.c:153
#4  0x40000000000368d0 in ap_invoke_handler (r=0x600000000020cae0) at 
config.c:317
#5  0x400000000002f460 in ap_process_request (r=0x600000000020cae0) at 
http_request.c:226
#6  0x40000000000249d0 in ap_process_http_connection 
(c=0x60000000001d9610) at http_core.c:233
#7  0x400000000004d1b0 in ap_run_process_connection 
(c=0x60000000001d9610) at connection.c:43
#8  0x4000000000032270 in child_main (child_num_arg=23984) at prefork.c:610
#9  0x4000000000032540 in make_child (s=0x60000000000703e0, slot=370) at 
prefork.c:704
#10 0x4000000000032ae0 in perform_idle_server_maintenance (p=0xb) at 
prefork.c:839
#11 0x4000000000033920 in ap_mpm_run (_pconf=0x0, 
plog=0x6000000000040288, s=0x0) at prefork.c:863
#12 0x4000000000041610 in main (argc=5, argv=0x60000fffffffabd8) at 
main.c:618
(gdb) print nv
$1 = {dptr = 0x0, dsize = 0}




#0  fetch_message (r=0x6000000000208860, f=0x6000000000217b88) at 
mod_mbox_file.c:746
746         if (!(multipart && mctx->get_part != 0)) {
(gdb) where
#0  fetch_message (r=0x6000000000208860, f=0x6000000000217b88) at 
mod_mbox_file.c:746
#1  0x200000000100da80 in mbox_file_handler (r=0x6000000000208860) at 
mod_mbox_file.c:951
#2  0x40000000000358f0 in ap_run_handler (r=0x6000000000208860) at 
config.c:153
#3  0x40000000000368d0 in ap_invoke_handler (r=0x6000000000208860) at 
config.c:317
#4  0x400000000002f460 in ap_process_request (r=0x6000000000208860) at 
http_request.c:226
#5  0x40000000000249d0 in ap_process_http_connection 
(c=0x60000000001d9800) at http_core.c:233
#6  0x400000000004d1b0 in ap_run_process_connection 
(c=0x60000000001d9800) at connection.c:43
#7  0x4000000000032270 in child_main (child_num_arg=23984) at prefork.c:610
#8  0x4000000000032540 in make_child (s=0x600000000008ec90, slot=165) at 
prefork.c:704
#9  0x4000000000032ae0 in perform_idle_server_maintenance (p=0x4) at 
prefork.c:839
#10 0x4000000000033920 in ap_mpm_run (_pconf=0x0, 
plog=0x6000000000040288, s=0x0) at prefork.c:863
#11 0x4000000000041610 in main (argc=5, argv=0x60000fffffffabd8) at 
main.c:618
(gdb) print mctx
$1 = (mbox_mpartf_ctx *) 0x0



(gdb) where
#0  0x20000000009f8300 in strstr () from /lib/tls/libc.so.6.1
#1  0x200000000100b6c0 in mbox_mpart_filter (f=0x6000000000247ee0, 
bb=0x6000000000247f50) at mod_mbox_file.c:370
#2  0x4000000000052fc0 in ap_pass_brigade (next=0x6000000000247ee0, 
bb=0x6000000000247f50) at util_filter.c:488
#3  0x200000000100c820 in fetch_message (r=0x600000000023ee60, 
f=0x6000000000207f80) at mod_mbox_file.c:763
#4  0x200000000100da80 in mbox_file_handler (r=0x600000000023ee60) at 
mod_mbox_file.c:951
#5  0x40000000000358f0 in ap_run_handler (r=0x600000000023ee60) at 
config.c:153
#6  0x40000000000368d0 in ap_invoke_handler (r=0x600000000023ee60) at 
config.c:317
#7  0x400000000002f460 in ap_process_request (r=0x600000000023ee60) at 
http_request.c:226
#8  0x40000000000249d0 in ap_process_http_connection 
(c=0x60000000001d9ca0) at http_core.c:233
#9  0x400000000004d1b0 in ap_run_process_connection 
(c=0x60000000001d9ca0) at connection.c:43
#10 0x4000000000032270 in child_main (child_num_arg=23984) at prefork.c:610
#11 0x4000000000032540 in make_child (s=0x60000000000bfdc0, slot=290) at 
prefork.c:704
#12 0x4000000000032ae0 in perform_idle_server_maintenance (p=0x6) at 
prefork.c:839
#13 0x4000000000033920 in ap_mpm_run (_pconf=0x0, 
plog=0x6000000000040288, s=0x0) at prefork.c:863
#14 0x4000000000041610 in main (argc=5, argv=0x60000fffffffabd8) at 
main.c:618