Bug 204771

Summary:	fetch(3): Segmentation fault in fetchReqHTTP
Product:	Base System	Reporter:	Antoine Brodin <antoine>
Component:	bin	Assignee:	Dag-Erling Smørgrav <des>
Status:	Closed FIXED
Severity:	Affects Many People	CC:	bapt, des
Priority:	---	Flags:	des: mfc-stable10+ des: mfc-stable9+ des: mfc-stable8-
Version:	CURRENT
Hardware:	Any
OS:	Any

Description Antoine Brodin freebsd_committer

2015-11-23 20:17:58 UTC

I have a segmenation fault in fetchReqHTTP for some websites:

% fetch http://klubok.com/
fetch: http://klubok.com/: size of remote file is not known
fetch.out                                                0  B    0  BpsSegmentation fault (core dumped)

The backtrace:
(gdb) bt
#0  0x0000000800b88565 in memcpy () from /lib/libc.so.7
#1  0x000000080082dcdc in fetchReqHTTP () from /usr/lib/libfetch.so.6
#2  0x0000000800b8a080 in getdtablesize () from /lib/libc.so.7
#3  0x0000000800b72566 in __srget () from /lib/libc.so.7
#4  0x0000000800b6ec09 in fread () from /lib/libc.so.7
#5  0x0000000800b6eb11 in fread () from /lib/libc.so.7

curl has the following warning with the same website:
curl: (18) transfer closed with outstanding read data remaining

bapt@ provided this workaround:  https://people.freebsd.org/~bapt/fetch.diff

Comment 1 Dag-Erling Smørgrav freebsd_committer

2015-11-26 13:32:39 UTC

Confirmed on 10.2 and 11.0.

Comment 2 Baptiste Daroussin freebsd_committer

2015-11-26 15:41:47 UTC

FYI: Do not use my workaround, it is just a workaround it hides the real issue!

Comment 3 commit-hook freebsd_committer

2015-12-16 13:51:53 UTC

A commit references this bug:

Author: des
Date: Wed Dec 16 09:17:07 UTC 2015
New revision: 292330
URL: https://svnweb.freebsd.org/changeset/base/292330

Log:
  Reset bufpos to 0 immediately after refilling the buffer.  Otherwise, we
  risk leaving the connection in an indeterminate state if the server fails
  to send a chunk delimiter.  Depending on the application and on the sizes
  of the preceding chunks, the result can be anything from missing data to a
  segfault.  With this patch, it will be reported as a protocol error.

  PR:		204771
  MFC after:	1 week

Changes:
  head/lib/libfetch/http.c

Comment 4 commit-hook freebsd_committer

2016-01-16 20:25:01 UTC

A commit references this bug:

Author: des
Date: Sat Jan 16 20:24:03 UTC 2016
New revision: 294194
URL: https://svnweb.freebsd.org/changeset/base/294194

Log:
  MFH (r280630): remove all traces of SSLv2 support
  MFH (r285141): remove unused variable
  MFH (r288217): correctly check return value from getaddrinfo(3)
  MFH (r289419): fix bugs in HTTPS tunnelling
  MFH (r289420): use fopen()'s "e" mode instead of fcntl for close-on-exec
  MFH (r291453, r291461): use .netrc for http servers and proxies
  MFH (r292330, r292332): reset bufpos to 0 after refilling in chunked mode

  PR:		194483 199801 193740 204771

Changes:
_U  stable/10/
  stable/10/lib/libfetch/common.c
  stable/10/lib/libfetch/fetch.3
  stable/10/lib/libfetch/file.c
  stable/10/lib/libfetch/http.c
  stable/10/usr.bin/fetch/fetch.1
  stable/10/usr.bin/fetch/fetch.c

Comment 5 commit-hook freebsd_committer

2016-01-26 07:44:45 UTC

A commit references this bug:

Author: des
Date: Tue Jan 26 07:44:28 UTC 2016
New revision: 294776
URL: https://svnweb.freebsd.org/changeset/base/294776

Log:
  MFH (r261233): cleanup
  MFH (r261234): increase buffer size
  MFH (r280630): remove all traces of SSLv2 support
  MFH (r285141): remove unused variable
  MFH (r288217): correctly check return value from getaddrinfo(3)
  MFH (r289419): fix bugs in HTTPS tunnelling
  MFH (r289420): use fopen()'s "e" mode instead of fcntl for close-on-exec
  MFH (r291453, r291461): use .netrc for http servers and proxies
  MFH (r292330, r292332): reset bufpos to 0 after refilling in chunked mode

  PR:		194483 199801 193740 204771

Changes:
_U  stable/9/
_U  stable/9/lib/
_U  stable/9/lib/libfetch/
  stable/9/lib/libfetch/common.c
  stable/9/lib/libfetch/fetch.3
  stable/9/lib/libfetch/file.c
  stable/9/lib/libfetch/http.c
_U  stable/9/usr.bin/
_U  stable/9/usr.bin/fetch/
  stable/9/usr.bin/fetch/fetch.1
  stable/9/usr.bin/fetch/fetch.c