segfault in lighttpd 1.4.11, r1125

I'm running lighttpd built from r1125. Works great, except
that we've 
found a few folks running some odd combination of IE with
.NET 
installed, such that when they hit lighttpd using some
specific 
hostname:port combinations, causes lighttpd to segfault.

It's VERY odd -- if they hit the exact same server using a
different 
hostname, it works fine. I'm guessing there's some odd
buffer overflow 
based on the HTTP headers in combination w/ the specific
user-agent sent 
by this browser. Though our attempts to replicate by just
spoofing the 
user-agent haven't work.

Anyway, any ideas? Here's an strace from the segfault:

poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=-1},
{fd=8, 
events=POLLIN, revents=POLLIN}, {fd=-1}], 5, 1000) = 1
read(8, "\27\3\0\0033", 5)              = 5
read(8,
"\316>\304L\260r\257\255\307\225%A\233\350
}\31\2\322\207"..., 
819) = 819
stat64("/prod/amp/current/config/lighttpd-htdigest.use
r", 
{st_mode=S_IFREG|0644, st_size=52, ...}) = 0
open("/prod/amp/current/config/lighttpd-htdigest.user
", 
O_RDONLY_LARGEFIL
E) = 7
mmap2(NULL, 52, PROT_READ, MAP_SHARED, 7, 0) = 0x402e3000
close(7)                                = 0
munmap(0x402e3000, 52)                  = 0
stat64("/prod/amp/current/config/lighttpd-power-magnet
.cml", 
{st_mode=S_IFREG|0644, st_size=590, ...}) = 0
open("/prod/amp/current/config/lighttpd-power-magnet.c
ml", 
O_RDONLY_LARGEFIL
E) = 7
mmap2(NULL, 590, PROT_READ, MAP_SHARED, 7, 0) = 0x402e3000
close(7)                                = 0
stat64("/prod/amp/current/public/maintenance.html&quo
t;, 0xbffff0e0) = -1 
ENOENT (No such file or directory)
stat64("/prod/amp/current/public//stylesheets/styles.c
ss", 
{st_mode=S_IFREG|0644, st_size=31043, ...}) = 0
stat64("/prod/amp/current/public//stylesheets/styles.c
ss", 
{st_mode=S_IFREG|0644, st_size=31043, ...}) = 0
open("/prod/amp/current/public//stylesheets/styles.css
", 
O_RDONLY_LARGEFIL
E) = 7
close(7)                                = 0
--- SIGSEGV (Segmentation fault)  0 (0) ---

What would be very useful is a core dump.  You have to
specifically  
enable core file and make sure that the working directory of
the  
process is writable by the user that process is running.

Put this in your conf file:

server.core-files = enable

Most likely, the working directory will be /, so you'll not
be able  
to write there unless you are running as root, which isn't
a good  
idea generally.

Once you have a core file, you can use gdb to find the
backtrace at  
the point it crashed (presuming you compiled with as a cflag
option).

It's not all that tricky. However, if you are still having
trouble, I  
can post a more elaborate explanation on the wiki.

-Mike

On May 12, 2006, at 8:24 PM, Michael A. Schoen wrote:

> I'm running lighttpd built from r1125. Works great,
except that  
> we've found a few folks running some odd combination
of IE  
> with .NET installed, such that when they hit lighttpd
using some  
> specific hostname:port combinations, causes lighttpd to
segfault.
>
> It's VERY odd -- if they hit the exact same server
using a  
> different hostname, it works fine. I'm guessing
there's some odd  
> buffer overflow based on the HTTP headers in
combination w/ the  
> specific user-agent sent by this browser. Though our
attempts to  
> replicate by just spoofing the user-agent haven't
work.
>
> Anyway, any ideas? Here's an strace from the segfault:
>
> poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN},
{fd=-1}, {fd=8,  
> events=POLLIN, revents=POLLIN}, {fd=-1}], 5, 1000) = 1
> read(8, "\27\3\0\0033", 5)             
= 5
> read(8,
"\316>\304L\260r\257\255\307\225%A\233\350
}\31\2\322 
> \207"..., 819) = 819
>
stat64("/prod/amp/current/config/lighttpd-htdigest.use
r",  
> {st_mode=S_IFREG|0644, st_size=52, ...}) = 0
>
open("/prod/amp/current/config/lighttpd-htdigest.user
", O_RDONLY| 
> O_LARGEFILE) = 7
> mmap2(NULL, 52, PROT_READ, MAP_SHARED, 7, 0) =
0x402e3000
> close(7)                                = 0
> munmap(0x402e3000, 52)                  = 0
>
stat64("/prod/amp/current/config/lighttpd-power-magnet
.cml",  
> {st_mode=S_IFREG|0644, st_size=590, ...}) = 0
>
open("/prod/amp/current/config/lighttpd-power-magnet.c
ml", O_RDONLY| 
> O_LARGEFILE) = 7
> mmap2(NULL, 590, PROT_READ, MAP_SHARED, 7, 0) =
0x402e3000
> close(7)                                = 0
>
stat64("/prod/amp/current/public/maintenance.html&quo
t;, 0xbffff0e0) =  
> -1 ENOENT (No such file or directory)
>
stat64("/prod/amp/current/public//stylesheets/styles.c
ss",  
> {st_mode=S_IFREG|0644, st_size=31043, ...}) = 0
>
stat64("/prod/amp/current/public//stylesheets/styles.c
ss",  
> {st_mode=S_IFREG|0644, st_size=31043, ...}) = 0
>
open("/prod/amp/current/public//stylesheets/styles.css
", O_RDONLY| 
> O_LARGEFILE) = 7
> close(7)                                = 0
> --- SIGSEGV (Segmentation fault)  0 (0) ---
>
>