evhtp_parse_query_wflags SIGSEGV: address access protected

[Ultima1252]

Details

I'm experiencing an out-of-bounds write attempt during evhtp_parse_query_wflags. I believe this issue is probably a memory allocation limit but I'm not exactly positive.

Steps or code to reproduce the problem.

Not sure if it is specific data that is currently on my server, more testing to reproduce need to be done. Installing the port seahub on FreeBSD and generate some syncs with seafile-client. In the logs there will be "Seafile kernel: pid 91446 (seaf-server), uid 900: exited on signal 11".

Further debugging I found that this will occur when len is at a higher value like len=1048660

• thread Socket leakage on error #6, name = 'seaf-server', stop reason = signal SIGSEGV: address access protected (fault address:
  0x7fffdf5f98e0)
  frame #0: 0x0000000800dac8da libevhtp.so.0`evhtp_parse_query_wflags(query="846adf988582db791bbedce08b99706b5e94c917", len=1048660, flags=0) at evhtp.c:3531

Version

FreeBSD: 11.2
Seafile-server: 6.3.4
Libevhtp: 1.2.16

Let me know if there is anything else that may help with debugging this.

[NathanFrench]

len=1048660 is this a 1MB query-string?

[Ultima1252]

* thread #13, name = 'seaf-server', stop reason = signal SIGSEGV: address access protected (fault address: 0x7fffde5f1690)
  * frame #0: 0x00000008003ef3aa libevhtp.so.0`evhtp_parse_query_wflags(query="7fb4f6eb233e228d951082079e3b7c2f988eaf05", len=1048708, flags=0) at evhtp.c:3531
    frame #1: 0x00000008003efa1f libevhtp.so.0`evhtp_parse_query(query="7fb4f6eb233e228d951082079e3b7c2f988eaf05", len=1048708) at evhtp.c:3750
    frame #2: 0x00000008003f8144 libevhtp.so.0`htp__request_parse_fini_(p=0x000000080335b800) at evhtp.c:2043
    frame #3: 0x00000008003ff46e libevhtp.so.0`hook_on_msg_complete_run(p=0x000000080335b800, hooks=0x0000000800403038) at parser.c:333
    frame #4: 0x00000008003fea5a libevhtp.so.0`htparser_run(p=0x000000080335b800, hooks=0x0000000800403038, data="f573e", len=802) at parser.c:2200
    frame #5: 0x00000008003f66b5 libevhtp.so.0`htp__connection_readcb_(bev=0x00000008032e3000, arg=0x000000080270a7c0) at evhtp.c:2267
    frame #6: 0x00000008006462ce libevent-2.1.so.7`bufferevent_run_readcb_(bufev=0x00000008032e3000, options=0) at bufferevent.c:251
    frame #7: 0x000000080064fbe4 libevent-2.1.so.7`bufferevent_trigger_nolock_(bufev=0x00000008032e3000, iotype=2, options=0) at bufferevent-internal.h:411
    frame #8: 0x000000080064f51a libevent-2.1.so.7`bufferevent_readcb(fd=45, event=2, arg=0x00000008032e3000) at bufferevent_sock.c:214
    frame #9: 0x000000080065c658 libevent-2.1.so.7`event_persist_closure(base=0x00000008026f8000, ev=0x00000008032e3010) at event.c:1629
    frame #10: 0x000000080065bbef libevent-2.1.so.7`event_process_active_single_queue(base=0x00000008026f8000, activeq=0x0000000802624640, max_to_process=2147483647, endtime=0x0000000000000000) at event.c:1688
    frame #11: 0x0000000800656069 libevent-2.1.so.7`event_process_active(base=0x00000008026f8000) at event.c:1789
    frame #12: 0x0000000800654e83 libevent-2.1.so.7`event_base_loop(base=0x00000008026f8000, flags=0) at event.c:2012
    frame #13: 0x0000000800400f1f libevhtp.so.0`_evthr_loop(args=0x00000008019947e0) at thread.c:121
    frame #14: 0x0000000801193776 libthr.so.3`___lldb_unnamed_symbol1$$libthr.so.3 + 326

Sorry, this took so long to circle back to, here is a backtrace. Currently on libevent version 2.1.11 and libevhtp version 1.2.16.

[Ultima1252]

I've finally determined the root cause of this, however, I'm still trying to determine why it is happening.

At [1] memory is allocated to a buffer or the heap depending on the EVHTP_HAS_C99 flag. I'm still not sure how to determine the max buffer size, but in this particular case, the buffer isn't large enough for the data which is causing a buffer overflow.

Compiling with -DEVHTP_HAS_C99=false fixes the error because it will allocate using the heap instead. haiwen/seafile#1928 also reported this bug quite awhile ago.

[1] https://github.com/criticalstack/libevhtp/blob/1.2.16/evhtp.c#L3502