Bug 489956 - URLs longer than 2048 chars cause SEGV on 64bit
URLs longer than 2048 chars cause SEGV on 64bit
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: squid (Show other bugs)
3.9
x86_64 Linux
high Severity high
: ---
: ---
Assigned To: Jiri Skala
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-12 13:04 EDT by Martin Poole
Modified: 2014-11-09 17:31 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-13 06:30:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
perl reproducer (695 bytes, text/plain)
2009-03-12 13:04 EDT, Martin Poole
no flags Details
squid cache.log with debugging enabled. (160.90 KB, application/octet-stream)
2009-03-12 13:06 EDT, Martin Poole
no flags Details
This patch fixes the issue for me (916 bytes, patch)
2010-05-05 10:32 EDT, Jiri Skala
no flags Details | Diff

  None (edit)
Description Martin Poole 2009-03-12 13:04:01 EDT
Description of problem:

Long URLs (more the 2048 characters) cause squid to SEGV. The code contains specific length limits for URLs but this a compile time limit and defaults to 4096 chars.  The problem does not occur on 32bit with the same pkg version.

Version-Release number of selected component (if applicable):

squid-2.5.STABLE3-9.3E-x86_64 

How reproducible:

Simple.

Steps to Reproduce:
1. Install squid & httpd on 64bit rhel3
2. run attached reproducer script.
3.
  
Actual results:

Problem 500 EOF instead of reponse status line at length 1 + 2021 + 27

Expected results:

no output.

Additional info:
Comment 1 Martin Poole 2009-03-12 13:04:48 EDT
Created attachment 334969 [details]
perl reproducer
Comment 2 Martin Poole 2009-03-12 13:06:15 EDT
Created attachment 334971 [details]
squid cache.log with debugging enabled.
Comment 3 Martin Poole 2009-03-12 13:18:22 EDT
Additional notes.

This does not occur with RHEL4 & RHEL5 versions.

Core dumps do not give a usable backtrace.

# gdb /usr/sbin/squid core.28659
     GNU gdb Red Hat Linux (6.3.0.0-1.138.el3rh)
     Copyright 2004 Free Software Foundation, Inc.
     GDB is free software, covered by the GNU General Public License, and you are
     welcome to change it and/or distribute copies of it under certain conditions.
     Type "show copying" to see the conditions.
     There is absolutely no warranty for GDB.  Type "show warranty" for details.
     This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbols found)
     Using host libthread_db library "/lib64/tls/libthread_db.so.1".
     (no debugging symbols found)
     
     Core was generated by `(squid) -D'.
     Program terminated with signal 6, Aborted.
     #0  0x0000002a96491745 in ?? ()
     (gdb) where
     #0  0x0000002a96491745 in ?? ()
     #1  0x0000002a96492eb3 in ?? ()
     #2  0x0000000000000020 in ?? ()
     #3  0x0000000000000000 in ?? ()
     (gdb) info reg
     rax            0x0      0
     rbx            0x0      0
     rcx            0xffffffffffffffff       -1
     rdx            0x6      6
     rsi            0x6ff3   28659
     rdi            0x6ff3   28659
     rbp            0x7fbfff8ca0     0x7fbfff8ca0
     rsp            0x7fbfff8b58     0x7fbfff8b58
     r8             0x6ff3   28659
     r9             0x6      6
     r10            0x8      8
     r11            0x206    518
     r12            0x1      1
     r13            0x7fbfff9780     548682045312
     r14            0x7fbfff9930     548682045744
     r15            0x7fbfff92c8     548682044104
     rip            0x2a96491745     0x2a96491745
     eflags         0x206    518
     cs             0x33     51
     ss             0x2b     43
     ds             0x0      0
     es             0x0      0
     fs             0x0      0
     gs             0x0      0
     (gdb)
Comment 6 Jiri Skala 2010-05-05 10:32:43 EDT
Created attachment 411632 [details]
This patch fixes the issue for me
Comment 11 Ondrej Vasik 2010-05-13 06:38:24 EDT
As this patch code is used in RHEL-4 version of squid (in fact ifdefed for the case that va_copy() is not supported on system ), closed that next release. Patch seems to be simple and safe, but RHEL-3 is really close to EOL. Update to RHEL-4 or later is recommended, if you want to have this issue fixed.

Note You need to log in before you can comment on or make changes to this bug.