489956 – URLs longer than 2048 chars cause SEGV on 64bit

Bug 489956 - URLs longer than 2048 chars cause SEGV on 64bit

Summary: URLs longer than 2048 chars cause SEGV on 64bit

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	squid
Sub Component:
Version:	3.9
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Jiri Skala
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-12 17:04 UTC by Martin Poole
Modified:	2018-10-27 14:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-05-13 10:30:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
perl reproducer (695 bytes, text/plain) 2009-03-12 17:04 UTC, Martin Poole	no flags	Details
squid cache.log with debugging enabled. (160.90 KB, application/octet-stream) 2009-03-12 17:06 UTC, Martin Poole	no flags	Details
This patch fixes the issue for me (916 bytes, patch) 2010-05-05 14:32 UTC, Jiri Skala	no flags	Details \| Diff
View All

Description Martin Poole 2009-03-12 17:04:01 UTC

Description of problem:

Long URLs (more the 2048 characters) cause squid to SEGV. The code contains specific length limits for URLs but this a compile time limit and defaults to 4096 chars.  The problem does not occur on 32bit with the same pkg version.

Version-Release number of selected component (if applicable):

squid-2.5.STABLE3-9.3E-x86_64　

How reproducible:

Simple.

Steps to Reproduce:
1. Install squid & httpd on 64bit rhel3
2. run attached reproducer script.
3.
  
Actual results:

Problem 500 EOF instead of reponse status line at length 1 + 2021 + 27

Expected results:

no output.

Additional info:

Comment 1 Martin Poole 2009-03-12 17:04:48 UTC

Created attachment 334969 [details]
perl reproducer

Comment 2 Martin Poole 2009-03-12 17:06:15 UTC

Created attachment 334971 [details]
squid cache.log with debugging enabled.

Comment 3 Martin Poole 2009-03-12 17:18:22 UTC

Additional notes.

This does not occur with RHEL4 & RHEL5 versions.

Core dumps do not give a usable backtrace.

# gdb /usr/sbin/squid core.28659
     GNU gdb Red Hat Linux (6.3.0.0-1.138.el3rh)
     Copyright 2004 Free Software Foundation, Inc.
     GDB is free software, covered by the GNU General Public License, and you are
     welcome to change it and/or distribute copies of it under certain conditions.
     Type "show copying" to see the conditions.
     There is absolutely no warranty for GDB.  Type "show warranty" for details.
     This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbols found)
     Using host libthread_db library "/lib64/tls/libthread_db.so.1".
     (no debugging symbols found)
     
     Core was generated by `(squid) -D'.
     Program terminated with signal 6, Aborted.
     #0  0x0000002a96491745 in ?? ()
     (gdb) where
     #0  0x0000002a96491745 in ?? ()
     #1  0x0000002a96492eb3 in ?? ()
     #2  0x0000000000000020 in ?? ()
     #3  0x0000000000000000 in ?? ()
     (gdb) info reg
     rax            0x0      0
     rbx            0x0      0
     rcx            0xffffffffffffffff       -1
     rdx            0x6      6
     rsi            0x6ff3   28659
     rdi            0x6ff3   28659
     rbp            0x7fbfff8ca0     0x7fbfff8ca0
     rsp            0x7fbfff8b58     0x7fbfff8b58
     r8             0x6ff3   28659
     r9             0x6      6
     r10            0x8      8
     r11            0x206    518
     r12            0x1      1
     r13            0x7fbfff9780     548682045312
     r14            0x7fbfff9930     548682045744
     r15            0x7fbfff92c8     548682044104
     rip            0x2a96491745     0x2a96491745
     eflags         0x206    518
     cs             0x33     51
     ss             0x2b     43
     ds             0x0      0
     es             0x0      0
     fs             0x0      0
     gs             0x0      0
     (gdb)

Comment 6 Jiri Skala 2010-05-05 14:32:43 UTC

Created attachment 411632 [details]
This patch fixes the issue for me

Comment 11 Ondrej Vasik 2010-05-13 10:38:24 UTC

As this patch code is used in RHEL-4 version of squid (in fact ifdefed for the case that va_copy() is not supported on system ), closed that next release. Patch seems to be simple and safe, but RHEL-3 is really close to EOL. Update to RHEL-4 or later is recommended, if you want to have this issue fixed.

Comment 12 Ondrej Vasik 2010-05-13 10:42:50 UTC

http://www2.gr.squid-cache.org/mail-archive/squid-dev/200311/0072.html and http://bugs.squid-cache.org/show_bug.cgi?id=753 for reference of upstream fix.

Note You need to log in before you can comment on or make changes to this bug.