--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: polipo crashes when server reply contains "Cache-Control: max-age"
- From: Stefan Fritsch <sf@sfritsch.de>
- Date: Wed, 16 Sep 2009 23:37:33 +0200
- Message-id: <20090916213733.5243.75231.reportbug@k.lan>
Package: polipo
Version: 1.0.4-1
Severity: grave
Tags: patch
Justification: renders package unusable
When polipo receives a "Cache-Control: max-age" line without a value,
it logs a parsing error but then continues to use the not-parsed value,
resulting in a segfault. It does this in several places in http_parse.c.
I have attached a stacktrace and patch that seems to
work for me. You should check that I have not missed an occurence of the
same error.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash
Versions of packages polipo depends on:
ii libc6 2.9-26 GNU C Library: Shared libraries
polipo recommends no packages.
polipo suggests no packages.
-- no debconf information
--- polipo-1.0.4.orig/http_parse.c
+++ polipo-1.0.4/http_parse.c
@@ -1088,9 +1088,10 @@
(v_end >= 0 ? v_end : token_end) -
token_start);
do_log(L_WARN, "\n");
+ } else {
+ a = atoi(buf + v_start);
+ cache_control.max_age = a;
}
- a = atoi(buf + v_start);
- cache_control.max_age = a;
} else if(token_compare(buf, token_start, token_end,
"s-maxage")) {
int a;
@@ -1100,9 +1101,10 @@
(v_end >= 0 ? v_end : token_end) -
token_start);
do_log(L_WARN, "\n");
+ } else {
+ a = atoi(buf + v_start);
+ cache_control.max_age = a;
}
- a = atoi(buf + v_start);
- cache_control.max_age = a;
} else if(token_compare(buf, token_start, token_end,
"min-fresh")) {
int a;
@@ -1112,9 +1114,10 @@
(v_end >= 0 ? v_end : token_end) -
token_start);
do_log(L_WARN, "\n");
+ } else {
+ a = atoi(buf + v_start);
+ cache_control.max_age = a;
}
- a = atoi(buf + v_start);
- cache_control.max_age = a;
} else if(token_compare(buf, token_start, token_end,
"max-stale")) {
int a;
@@ -1124,9 +1127,10 @@
(v_end >= 0 ? v_end : token_end) -
token_start);
do_log(L_WARN, "\n");
+ } else {
+ a = atoi(buf + v_start);
+ cache_control.max_stale = a;
}
- a = atoi(buf + v_start);
- cache_control.max_stale = a;
} else {
do_log(L_WARN, "Unsupported Cache-Control directive ");
do_log_n(L_WARN, buf + token_start,
(gdb) bt full
#0 0xb7f22b38 in *__GI_____strtol_l_internal (nptr=0xb7dcefff <Address 0xb7dcefff out of bounds>, endptr=0x0, base=10,
group=0, loc=0xb804c380) at strtol_l.c:298
negative = <value optimized out>
cutoff = <value optimized out>
i = <value optimized out>
s = <value optimized out>
c = <value optimized out>
save = <value optimized out>
end = <value optimized out>
overflow = <value optimized out>
cnt = <value optimized out>
current = <value optimized out>
thousands = 0x0
thousands_len = <value optimized out>
grouping = 0x0
#1 0xb7f228a0 in *__GI_strtol (nptr=0xb7dcefff <Address 0xb7dcefff out of bounds>, endptr=0x0, base=10) at strtol.c:110
No locals.
#2 0xb7f1f891 in atoi (nptr=0xb7dcefff <Address 0xb7dcefff out of bounds>) at atoi.c:28
No locals.
#3 0x08061e18 in httpParseHeaders (client=0, url=0x979fe28,
buf=0xb7dcf000 "HTTP/1.1 200 OK\r\nDate: Wed, 16 Sep 2009 21:03:06 GMT\r\nServer: Apache/2.2.9 (Unix) mod_jk/1.2.26\r\nSet-Cookie: GY_1HIST=loc%3Dfeldkirchen%3A%3A%3A%23vaterstetten%3A%3A%3A%23%7C%7Ccat%3Dcopy+shop%23; Exp"...,
start=17, request=0x979faf8, headers_return=0xbff52d10, len_return=0xbff52d0c, cache_control_return=0xbff52ccc,
condition_return=0x0, te_return=0xbff52d08, date_return=0xbff52d00, last_modified_return=0xbff52cfc,
expires_return=0xbff52cf8, polipo_age_return=0x0, polipo_access_return=0x0, polipo_body_offset_return=0x0,
age_return=0xbff52d04, etag_return=0xbff52cf4, expect_return=0x0, range_return=0x0,
content_range_return=0xbff52ce0, location_return=0x0, via_return=0xbff52cf0, auth_return=0x0) at http_parse.c:1092
v_start = -1
v_end = -1
local = 0
hbuf_small = "\r\nServer: Apache/2.2.9 (Unix) mod_jk/1.2.26\r\nSet-Cookie: GY_1HIST=loc%3Dfeldkirchen%3A%3A%3A%23vaterstetten%3A%3A%3A%23%7C%7Ccat%3Dcopy+shop%23; Expires=Thu, 16-Sep-2010 21:03:07 GMT; Path=/\365\277O\361\365\267\364\277\4\270\377\377\334\267\b\276\b\270\360*\365\277\f+\365\277u<\224|X\30\a\270"...
hbuf = 0xbff529f8 "\r\nServer: Apache/2.2.9 (Unix) mod_jk/1.2.26\r\nSet-Cookie: GY_1HIST=loc%3Dfeldkirchen%3A%3A%3A%23vaterstetten%3A%3A%3A%23%7C%7Ccat%3Dcopy+shop%23; Expires=Thu, 16-Sep-2010 21:03:07 GMT; Path=/\365\277O\361\365\267\364\277\4\270"...
hbuf_size = 512
hbuf_length = 190
i = 268
j = 268
name_start = 244
name_end = <value optimized out>
value_start = 259
value_end = 266
token_start = 259
token_end = 266
end = 1
name = 0x979ab68
date = 1253134986
last_modified = -1
expires = -1
polipo_age = -1
polipo_access = -1
polipo_body_offset = -1
len = -1
endptr = 0xb804d190 " \3z\t\320\373y\t\320\373y\t\320\373y\t\270\375y\t`\261y\t\240\321\4\270\240\321\4\270\250\321\4\270\250\321\4\270\260\321\4\270\260\321\4\270\270\321\4\270\270\321\4\270\300\321\4\270\300\321\4\270\310\321\4\270\310\321\4\270\320\321\4\270\320\321\4\270\330\321\4\270\330\321\4\270\340\321\4\270\340\321\4\270\350\321\4\270\350\321\4\270\360\321\4\270\360\321\4\270\370\321\4\270\370\321\4\270"
te = 0
age = -1
etag = 0x0
ifrange = 0x0
persistent = 1
location = 0x0
via = 0x0
auth = 0x0
expect = 0x0
condition = <value optimized out>
ims = -1
inms = -1
im = 0x0
inm = 0x0
hopToHop = 0x0
haveCacheControl = 1
__PRETTY_FUNCTION__ = "httpParseHeaders"
#4 0x0805dd54 in httpServerHandlerHeaders (eof=0, event=0x979fdd0, srequest=0x979fde0, connection=0x979fb60)
at server.c:1920
request = 0x979faf8
object = 0x979f9a8
rc = <value optimized out>
code = <value optimized out>
version = 1
full_len = <value optimized out>
headers = <value optimized out>
len = <value optimized out>
te = <value optimized out>
cache_control = {flags = 134600709, max_age = 256, s_maxage = 4, min_fresh = 0, max_stale = 158989160}
age = -1
date = <value optimized out>
last_modified = <value optimized out>
expires = <value optimized out>
init_time = <value optimized out>
etag = <value optimized out>
via = <value optimized out>
new_via = <value optimized out>
expect_body = <value optimized out>
content_range = {from = 4096, to = 134605195, full_length = 158989152}
new_object = <value optimized out>
supersede = <value optimized out>
message = 0x979fe10
url = 0x979fe28
__PRETTY_FUNCTION__ = "httpServerHandlerHeaders"
#5 0x0805ea6d in httpServerReplyHandler (status=0, event=0x979fdd0, srequest=0x979fde0) at server.c:1807
connection = 0x979fb60
request = 0x979faf8
i = <value optimized out>
body = 620
bufsize = 4096
__PRETTY_FUNCTION__ = "httpServerReplyHandler"
#6 0x0804cdef in do_scheduled_stream (status=0, event=0x979fdd0) at io.c:368
request = 0x979fde0
rc = <value optimized out>
done = <value optimized out>
i = 1
iov = {{iov_base = 0xb7dcf000, iov_len = 4096}, {iov_base = 0x979fd30, iov_len = 3}, {iov_base = 0xc,
iov_len = 24}, {iov_base = 0xbff52dd8, iov_len = 134525095}, {iov_base = 0x979fd38, iov_len = 3220516312}, {
iov_base = 0x4e20, iov_len = 4}}
chunk_header_len = 158989160
chunk_header = "\374\267\0\0\0\0\1\0\0"
len12 = 4096
len123 = 4096
__PRETTY_FUNCTION__ = "do_scheduled_stream"
#7 0x0804b3ef in eventLoop () at event.c:713
rc = <value optimized out>
i = 2
done = <value optimized out>
n = 0
event = 0x979fdd0
#8 0x08053f2d in main (argc=8, argv=0xbff52ed4) at main.c:165
listener = 0xb804c380
i = 8
rc = <value optimized out>
expire = 0
printConfig = 0
--- End Message ---