How to crash squid 1.2b11: (thinking about it, it probably applies to
the others too).
Give it 'GET http://site.com HTTP/1.0\n\n\n'.
Instant boom. The problem is in parseHttpRequest where it does
'end = mime_headers_end()' which does strstr("\n\n"). Then it does
something like
while (*t == '\n')
++t;
Then it says 'size = end - t'. See the problem yet??
It then does a memcpy() using that size.. :)
That's what was causing all the SEGVs in..
(gdb) where
#0 0x40093c38 in memcpy (dstpp=0xfffffffe, srcpp=0xffffffff, len=224695344)
#1 0xbffff9e8 in ?? ()
#2 0x80562ad in parseHttpRequest (conn=0xec0dbc8, method_p=0xbffff9f4, status=0xbffff9f0,
headers_p=0xbffff9ec, headers_sz_p=0xbffff9e8) at client_side.c:1479
#3 0x80567c2 in clientReadRequest (fd=427, data=0xec0dbc8) at client_side.c:1614
#4 0x8058903 in comm_select (sec=1) at comm.c:1118
#5 0x806827e in main (argc=2, argv=0xbffffe70) at main.c:591
#6 0x804a27e in ___crt_dummy__ ()
I've got some debugging in there now checking that 't > end'.
if ((t > end) || (header_sz < 0) || (req_sz < 0)) {
debug(0,0) ("KARMA: t > end (%p, %p, %d, %d)\n", t, end,
header_sz, req_sz);
.... /* clean up and error */
}
which just produced:
98/01/30 17:19:46| KARMA: t > end (0xc082f48, 0xc082f40, -8, 40)
(I used telnet to do it, do it actually sent '\r\n\r\n\r\n\r\n', but
it's close enough )
Michael.
Received on Tue Jul 29 2003 - 13:15:45 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:34 MST