Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 580008

Summary: httpd crash after premature connection termination
Product: Red Hat Enterprise Linux 5 Reporter: Peter Pramberger <peter>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: ralph, redhat
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 08:54:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Stacktrace none

Description Peter Pramberger 2010-04-07 09:38:49 UTC 
Created attachment 404874 [details]
Stacktrace

Description of problem:
We're experiencing several crashes a day from apache childs dying in mod_deflate/zlib/crc32(). According to the attached stacktrace an invalid address is passed on.

Involved components: httpd (prefork), mod_deflate, mod_php, php-pecl-oci8

After some research it seems [1] matches exactly this case. The upstream fix in [2] solves the issue for us (no more crashes). Would be great if you can backport/include it in the httpd package.

Version-Release number of selected component (if applicable):
httpd-2.2.3-31.el5_4.2
httpd-2.2.3-31.el5_4.4
php-5.1.6-23.2.el5_3
php-5.1.6-24.el5_4.5
php-pecl-oci8-1.2.5-1.el5.ebis
php-pecl-oci8-1.3.5-4.el5.ebis

How reproducible:
Difficult to provide, as this case requires an Oracle database on the other end. Anyway by using a small PHP script, which reads a BLOB (eg. an image) from the database and provides it to the client, an interruption of the connection during the data transfer immediately crashes the associated child.

Steps to Reproduce:
1. Put a image in a BLOB
2. Write a download script
3. curl --compressed -D- -k -L -N "--limit-rate 50k http://some.host/download.php?ref=test" -o test.jpg
4. Interrupt the transfer
  
Actual results:
Associated child crashes.

Expected results:
Associated child handles other requests/terminated cleanly.

Additional info:
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=36780
[2] https://issues.apache.org/bugzilla/attachment.cgi?id=24087
Comment 1 Peter Pramberger 2010-04-07 11:06:33 UTC 
[3] http://www.mail-archive.com/dev@httpd.apache.org/msg44721.html
Comment 2 Joe Orton 2010-04-07 11:24:05 UTC 
Thanks for the report.
Comment 4 RHEL Program Management 2010-08-09 19:14:04 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 5 David Abdemoulaie 2010-12-14 19:03:05 UTC 
This bug is still present in RHEL 5.5. In addition, it occurs in much simpler cases than the one described by the original reporter. When using PHP with mod_deflate _any_ interrupted page load will cause the child process to crash. 

This bug is easily exploitable as a DoS. It is trivial to write a script that can request deflated resources from the server in rapid succession, immediately interrupting the download. This can crash all running child processes and overwhelm the server trying to spin up new ones.
Comment 7 Joe Orton 2011-02-26 14:36:33 UTC 
For anybody seeing this problem, a test repo is available
with experimental and *unsupported* packages which contain
a fix for this issue:

  http://people.redhat.com/jorton/Tikanga-httpd/
Comment 11 errata-xmlrpc 2011-07-21 08:54:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html
Comment 12 errata-xmlrpc 2011-07-21 11:46:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1067.html