Bug 49246

Summary: httpd/mod_cache segfaults on pathless request
Product: Apache httpd-2 Reporter: Mark Drayton <mark>
Component: mod_cacheAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: major    
Priority: P2    
Version: 2.2.15   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Mark Drayton 2010-05-04 09:19:57 UTC 
When configured with a virtual host, caching and a non-empty CacheIgnoreURLSessionIdentifiers parameter httpd segfaults on requests with no path. Configuration:

NameVirtualHost *:80
<VirtualHost *:80>
  ServerName www.example.com
  CacheEnable disk /
  CacheRoot /tmp/cache-root
  CacheDefaultExpire 86400
  CacheIgnoreURLSessionIdentifiers cachebuster
</VirtualHost>

Test:

host:~ tail -0f logs/error_log &
[1] 7637
host:~ (echo "GET http://www.example.com HTTP/1.0"; echo) | nc localhost 80
[Tue May 04 14:12:47 2010] [notice] child pid 7617 exit signal Segmentation fault (11)

GDB:

(gdb) b ap_process_request
Breakpoint 1 at 0x44d4ac: file http_request.c, line 276.
(gdb) run -X -d /usr/local/apache2
Starting program: /usr/local/apache2/bin/httpd -X -d /usr/local/apache2
[Thread debugging using libthread_db enabled]
[New Thread 0x2b6659641860 (LWP 12669)]

Breakpoint 1, ap_process_request (r=0xd694558) at http_request.c:276
276	    if (ap_extended_status)
(gdb) n
278	    access_status = ap_run_quick_handler(r, 0);  /* Not a look-up request */
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x0000003e06678fe0 in strchr () from /lib64/libc.so.6
(gdb) bt
#0  0x0000003e06678fe0 in strchr () from /lib64/libc.so.6
#1  0x0000003e06679ade in strrchr () from /lib64/libc.so.6
#2  0x00002b665b066f7f in cache_generate_key_default (r=0xd694558, p=0xd6944e8, key=0x7fff521544d8) at cache_storage.c:498
#3  0x00002b665b0666c8 in cache_select (r=0xd694558) at cache_storage.c:192
#4  0x00002b665b0638ae in cache_url_handler (r=0xd694558, lookup=0) at mod_cache.c:112
#5  0x000000000043ba0e in ap_run_quick_handler (r=0xd694558, lookup=0) at config.c:160
#6  0x000000000044d4e0 in ap_process_request (r=0xd694558) at http_request.c:278
#7  0x000000000044a049 in ap_process_http_connection (c=0xd68e5b8) at http_core.c:190
#8  0x000000000044500e in ap_run_process_connection (c=0xd68e5b8) at connection.c:43
#9  0x0000000000445448 in ap_process_connection (c=0xd68e5b8, csd=0xd68e3c8) at connection.c:178
#10 0x0000000000454089 in child_main (child_num_arg=0) at prefork.c:662
#11 0x000000000045416c in make_child (s=0xd5b3dd8, slot=0) at prefork.c:702
#12 0x0000000000454701 in ap_mpm_run (_pconf=0xd5ac6c8, plog=0xd5de858, s=0xd5b3dd8) at prefork.c:978
#13 0x00000000004220ef in main (argc=4, argv=0x7fff52154a78) at main.c:740
Comment 1 Graham Leggett 2010-10-18 18:54:58 UTC 
Fixed in httpd v2.2.16.