php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51977 thttpd segfault on X86_64?
Submitted: 2010-06-02 17:18 UTC Modified: 2013-12-18 00:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: znfwhy at 163 dot com Assigned: sas (profile)
Status: Closed Package: Other web server
PHP Version: 5.2.13 OS: Debian Squeeze
Private report: No CVE-ID: None
 [2010-06-02 17:18 UTC] znfwhy at 163 dot com
Description:
------------
HTTP POST with 16KB more content will cause thttpd segfault on X86_64.

here is the back trace result:
...
Program received signal SIGSEGV, Segmentation fault.
0x0000003d7d278d80 in strlen () from /lib/libc.so.6
(gdb) bt
#0  0x0000003d7d278d80 in strlen () from /lib/libc.so.6
#1  0x0000003d7d278ab6 in strdup () from /lib/libc.so.6
#2  0x0000000000432cf0 in thttpd_php_request ()
#3  0x000000000042d7bb in httpd_start_request ()
#4  0x0000000000423a84 in _start ()

Test script:
---------------
<html>
  <head>
    PHP5 test page
  </head>
  <body>

    <div id=main style="width: 130px; height: 130px;">
      <form  method="POST"  enctype="text/html" action="/test.php">
        <textarea name=test>
        </textarea>
        <input type="submit" value="submit">
      </form>
    </div>
  </body>
</html>

Expected result:
----------------
info of PHP5 printed by test.php.

Actual result:
--------------
nothing, but thttpd exit with segfault.

Patches

php5_thttpd_upload_large_content_segfault.patch (last revision 2010-06-02 15:19 UTC by znfwhy at 163 dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-02 17:26 UTC] johannes@php.net
-Status: Open +Status: Feedback
 [2010-06-02 17:26 UTC] johannes@php.net
The thttpd code isn't really maintained since 2005. I looked throught code but couldn't find the relevant strdup call. Could you please recompile PHP using --enable-debug and then generate a "bt full", maybe the issue can be found then.
 [2010-06-03 05:08 UTC] znfwhy at 163 dot com
-Status: Feedback +Status: Open
 [2010-06-03 05:08 UTC] znfwhy at 163 dot com
Recompiled php5 with --enable-debug, and backtrace info listed below.
But this issue is cased by line 1770, file sapi/thttpd/thttpd_patch of php5.
Type miss match whiling convert pointer to int on X86_64.

(gdb) bt
#0  0x0000003d7d278d80 in strlen () from /lib/libc.so.6
#1  0x0000003d7d278ab6 in strdup () from /lib/libc.so.6
#2  0x000000000043b693 in thttpd_request_ctor () at php_thttpd.c:458
#3  0x000000000043b848 in thttpd_real_php_request (hc=0xa1f300, show_source=0)
    at php_thttpd.c:671
#4  0x000000000043b938 in thttpd_php_request (hc=0xa1f300, show_source=0)
    at php_thttpd.c:704
#5  0x0000000000432c44 in really_start_request (hc=0xa1f300,
    nowP=0x7fff4b0bba20) at libhttpd.c:3708
#6  0x0000000000433077 in httpd_start_request (hc=0xa1f300,
    nowP=0x7fff4b0bba20) at libhttpd.c:3801
#7  0x000000000042707c in boot_request (c=0x9fb880, tvP=0x7fff4b0bba20)
    at thttpd.c:1548
#8  0x00000000004277a3 in handle_read_body (c=0x9fb880, tvP=0x7fff4b0bba20)
    at thttpd.c:1774
#9  0x0000000000424a7d in main (argc=3, argv=0x7fff4b0bcc68) at thttpd.c:617
 [2010-06-20 19:54 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: sas
 [2013-12-18 00:28 UTC] sas@php.net
Hi,

please reopen ticket if this particular issue reoccurs.

Preferrably try another web server..

Thank you for using PHP.

Best
Sascha
 [2013-12-18 00:29 UTC] sas@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 30 08:01:31 2024 UTC