[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libmicrohttpd] Error in post_process_urlencoded leads to segfault
|
From: |
Nicolas Mora |
|
Subject: |
[libmicrohttpd] Error in post_process_urlencoded leads to segfault |
|
Date: |
Sun, 28 Jun 2020 09:11:00 -0400 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 |
Hello,
While running the unit tests in Ulfius, I just realized that MHD 0.9.70
generates an error while testing post processor limits.
The context is the following.
Inside the callback function, MHD_create_post_processor is called first
with a buffer size of 1024. I just read in MHD doc that "for good
performance, use 32k or 64k", but even with 64k, the problem remains.
MHD_create_post_processor (connection, 1024, mhd_iterate_post_data,
(void *) con_info);
Then, MHD_post_process is called using upload_data and upload_data_size:
MHD_post_process (con_info->post_processor, upload_data, *upload_data_size);
The problem occurs when *upload_data_size is bigger than buffer_size. It
seems that MHD_post_process iterates until it reaches upload_data, and
then fails.
In my test case, the callback function echoes the request body in the
response, then several body lengths are tested: 128, 256, 512, 1024,
2048, 16k, 2M. The request content-type is x-url-encoded, but the body
is a simple set of '0' aligned.
This is the failing test:
https://github.com/babelouest/ulfius/blob/master/test/core.c#L476
Using the current parameters, the test will fail after
request.binary_body_length = 2048;
I don't know if my code doesn't use MHD API properly, but for now the
only way I find to fix this is avoiding testing outer limits.
Valgrind says that a problem occurs in postprocessor.c:640
memcpy (&kbuf[pp->buffer_pos],
start_key,
end_key - start_key);
Valgrind's output is like that:
==266354== Thread 3 MHD-connection:
==266354== Invalid write of size 2
==266354== at 0x4842B33: memmove (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==266354== by 0x4C3717F: memcpy (string_fortified.h:34)
==266354== by 0x4C3717F: post_process_urlencoded (postprocessor.c:640)
==266354== by 0x4C37B9D: MHD_post_process (postprocessor.c:1383)
==266354== by 0x4A6DE09: ulfius_webservice_dispatcher (ulfius.c:481)
==266354== by 0x4C2B0D0: process_request_body (connection.c:2422)
==266354== by 0x4C2B0D0: MHD_connection_handle_idle (connection.c:3433)
==266354== by 0x4C2C45D: call_handlers (daemon.c:1215)
==266354== by 0x4C2FC58: thread_main_handle_connection (daemon.c:2077)
==266354== by 0x4C08608: start_thread (pthread_create.c:477)
==266354== by 0x498E102: clone (clone.S:95)
==266354== Address 0x5f89af8 is 1,192 bytes inside a block of size
1,193 alloc'd
==266354== at 0x483DD99: calloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==266354== by 0x4C379D2: MHD_create_post_processor (postprocessor.c:340)
==266354== by 0x4A6DB44: ulfius_webservice_dispatcher (ulfius.c:452)
==266354== by 0x4C289B0: call_connection_handler (connection.c:2220)
==266354== by 0x4C2A27F: MHD_connection_handle_idle (connection.c:3397)
==266354== by 0x4C2C45D: call_handlers (daemon.c:1215)
==266354== by 0x4C2FC58: thread_main_handle_connection (daemon.c:2077)
==266354== by 0x4C08608: start_thread (pthread_create.c:477)
==266354== by 0x498E102: clone (clone.S:95)
==266354==
==266354== Invalid write of size 1
==266354== at 0x4842B63: memmove (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==266354== by 0x4C3717F: memcpy (string_fortified.h:34)
==266354== by 0x4C3717F: post_process_urlencoded (postprocessor.c:640)
==266354== by 0x4C37B9D: MHD_post_process (postprocessor.c:1383)
==266354== by 0x4A6DE09: ulfius_webservice_dispatcher (ulfius.c:481)
==266354== by 0x4C2B0D0: process_request_body (connection.c:2422)
==266354== by 0x4C2B0D0: MHD_connection_handle_idle (connection.c:3433)
==266354== by 0x4C2C45D: call_handlers (daemon.c:1215)
==266354== by 0x4C2FC58: thread_main_handle_connection (daemon.c:2077)
==266354== by 0x4C08608: start_thread (pthread_create.c:477)
==266354== by 0x498E102: clone (clone.S:95)
==266354== Address 0x5fbfa89 is 0 bytes after a block of size 1,193 alloc'd
==266354== at 0x483DD99: calloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==266354== by 0x4C379D2: MHD_create_post_processor (postprocessor.c:340)
==266354== by 0x4A6DB44: ulfius_webservice_dispatcher (ulfius.c:452)
==266354== by 0x4C289B0: call_connection_handler (connection.c:2220)
==266354== by 0x4C2A27F: MHD_connection_handle_idle (connection.c:3397)
==266354== by 0x4C2C45D: call_handlers (daemon.c:1215)
==266354== by 0x4C2FC58: thread_main_handle_connection (daemon.c:2077)
==266354== by 0x4C08608: start_thread (pthread_create.c:477)
==266354== by 0x498E102: clone (clone.S:95)
==266354==
--266354-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11
(SIGSEGV) - exiting
--266354-- si_code=128; Faulting address: 0x0; sp: 0x1005e87df0
valgrind: the 'impossible' happened:
Killed by fatal signal
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [libmicrohttpd] Error in post_process_urlencoded leads to segfault,
Nicolas Mora <=