https://bz.apache.org/bugzilla/show_bug.cgi?id=66021
Bug ID: 66021
Summary: Segmentation fault in libcpre when processing
RedirectMatch rule for a long request path
Product: Apache httpd-2
Version: 2.4.53
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_alias
Assignee: bugs@httpd.apache.org
Reporter: szymek.655@gmail.com
Target Milestone: ---
Created attachment 38254
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38254&action=edit
Crash backtrace
Apache worker process crashes with a segmentation fault when processing a
request with path that is longer than 145 characters when virtual host has a
redirect rule
RedirectMatch 301 "^((?!/[a-z][a-z]_[A-Z][A-Z]).)*/p/[0-9]+$" "/en_EN$0"
For example:
There is no crash for 138 characters: GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/suffix
There is a crash for 148 characters: GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix
Relevant logs from the crash:
[proxy_balancer:trace1] [pid 422:tid 140369117575992] mod_proxy_balancer.c(85):
[client redacted:62207] canonicalising URL
//redacted/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix
[mpm_event:trace5] [pid 23:tid 140369131846472] event.c(2992): Spawning new
child: slot 2 active / total daemons: 3/3
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 504
(gen 3/slot 2) started
[core:notice] [pid 23:tid 140369131846472] AH00052: child pid 422 exit signal
Segmentation fault (11)
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 422
(gen 3/slot 0) exited
Backtrace from a similar crash (but not exactly the one from the logs) is
attached to this issue. It looks that, after bouncing between 2 code locations
in libpcre, the process goes to line 1612 and then the crash occurs. My
(uneducated) guess would be that this is an issue in libpcre itself and not a
bug in apache. However, I decided to create this ticket for visibility purposes
and to provide motivation for migrating to libpcre2 since libpcre is no longer
maintained (discussed in https://www.apachelounge.com/viewtopic.php?p=40962).
Disclaimer - I only investigated this issue, I'm not responsible for writing
this regex myself. I understand that it could be rewritten to be more optimal.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 66021
Summary: Segmentation fault in libcpre when processing
RedirectMatch rule for a long request path
Product: Apache httpd-2
Version: 2.4.53
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_alias
Assignee: bugs@httpd.apache.org
Reporter: szymek.655@gmail.com
Target Milestone: ---
Created attachment 38254
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38254&action=edit
Crash backtrace
Apache worker process crashes with a segmentation fault when processing a
request with path that is longer than 145 characters when virtual host has a
redirect rule
RedirectMatch 301 "^((?!/[a-z][a-z]_[A-Z][A-Z]).)*/p/[0-9]+$" "/en_EN$0"
For example:
There is no crash for 138 characters: GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/suffix
There is a crash for 148 characters: GET
/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix
Relevant logs from the crash:
[proxy_balancer:trace1] [pid 422:tid 140369117575992] mod_proxy_balancer.c(85):
[client redacted:62207] canonicalising URL
//redacted/subpath01/subpath02/subpath03/subpath04/subpath05/subpath06/subpath07/subpath08/subpath09/subpath10/subpath11/subpath12/subpath13/subpath14/suffix
[mpm_event:trace5] [pid 23:tid 140369131846472] event.c(2992): Spawning new
child: slot 2 active / total daemons: 3/3
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 504
(gen 3/slot 2) started
[core:notice] [pid 23:tid 140369131846472] AH00052: child pid 422 exit signal
Segmentation fault (11)
[core:trace4] [pid 23:tid 140369131846472] mpm_common.c(538): mpm child 422
(gen 3/slot 0) exited
Backtrace from a similar crash (but not exactly the one from the logs) is
attached to this issue. It looks that, after bouncing between 2 code locations
in libpcre, the process goes to line 1612 and then the crash occurs. My
(uneducated) guess would be that this is an issue in libpcre itself and not a
bug in apache. However, I decided to create this ticket for visibility purposes
and to provide motivation for migrating to libpcre2 since libpcre is no longer
maintained (discussed in https://www.apachelounge.com/viewtopic.php?p=40962).
Disclaimer - I only investigated this issue, I'm not responsible for writing
this regex myself. I understand that it could be rewritten to be more optimal.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org