Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault when using http3(quiche) to request an invalid(?) https url #6664

Closed
Cering opened this issue Feb 26, 2021 · 2 comments
Closed
Assignees

Comments

@Cering
Copy link

@Cering Cering commented Feb 26, 2021

I did this

(1) request an invalid https url and the result is failed, bacause curl: (60) SSL certificate problem: certificate has expired
(2) then use http3(with quiche) try again, a Segmentation fault happend, curl can not return error info like(1)

(1) normal request

# ./curl -v "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"

* STATE: INIT => CONNECT handle 0xdd0d48; line 1646 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0xdd0d48; line 1692 (connection #0)
* family0 == v4, family1 == v6
*   Trying 184.51.102.201:443...
* STATE: WAITRESOLVE => WAITCONNECT handle 0xdd0d48; line 1774 (connection #0)
* Connected to akaquic.com (184.51.102.201) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0xdd0d48; line 1840 (connection #0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0xdd0d48; line 1858 (connection #0)
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* multi_done
* The cache now contains 0 members
* Closing connection 0
* Expire cleared (transfer 0xdd0d48)
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

(2) http3 request

# ./curl -v --http3 "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"

* STATE: INIT => CONNECT handle 0x77bd48; line 1646 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x77bd48; line 1692 (connection #0)
* family0 == v4, family1 == v6
*   Trying 184.51.102.201:443...
* Connect socket 5 over QUIC to 184.51.102.201:443
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* STATE: WAITRESOLVE => WAITCONNECT handle 0x77bd48; line 1774 (connection #0)
* quiche_conn_recv() == -3
Segmentation fault

I expected the following

using gdb to locate SIGSEGV, and the stack is

(gdb) r -v --http3 "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"
Starting program: /data/download/curl-7.75.0/zbin/bin/curl -v --http3 "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
* STATE: INIT => CONNECT handle 0x657d48; line 1646 (connection #-5000)
* Added connection 0. The cache now contains 1 members
[New Thread 0x2aaab2b16700 (LWP 8001)]
* STATE: CONNECT => WAITRESOLVE handle 0x657d48; line 1692 (connection #0)
[Thread 0x2aaab2b16700 (LWP 8001) exited]
* family0 == v4, family1 == v6
*   Trying 184.51.102.195:443...
* Connect socket 9 over QUIC to 184.51.102.195:443
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* STATE: WAITRESOLVE => WAITCONNECT handle 0x657d48; line 1774 (connection #0)
* quiche_conn_recv() == -3

Program received signal SIGSEGV, Segmentation fault.
quiche::Connection::on_timeout::hb3b1496011e1cad3 (self=0x0) at src/lib.rs:3454
3454	        if let Some(draining_timer) = self.draining_timer {
Missing separate debuginfos, use: debuginfo-install libgcc-4.8.5-16.el7_4.2.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb)
(gdb) bt
#0  quiche::Connection::on_timeout::hb3b1496011e1cad3 (self=0x0) at src/lib.rs:3454
#1  0x00002aaaaba619cb in quiche_conn_on_timeout (conn=0x0) at src/ffi.rs:701
#2  0x00002aaaaad79d1a in process_ingress (data=0x657d48, sockfd=9, qs=0x656e10) at vquic/quiche.c:364
#3  0x00002aaaaad79c47 in Curl_quic_is_connected (data=0x657d48, conn=0x656d78, sockindex=0, done=0x7fffffffddc7) at vquic/quiche.c:336
#4  0x00002aaaaacf7302 in Curl_is_connected (data=0x657d48, conn=0x656d78, sockindex=0, connected=0x7fffffffddc7) at connect.c:901
#5  0x00002aaaaad3426f in multi_runsingle (multi=0x656998, nowp=0x7fffffffdf10, data=0x657d48) at multi.c:1822
#6  0x00002aaaaad35630 in curl_multi_perform (multi=0x656998, running_handles=0x7fffffffdf64) at multi.c:2412
#7  0x00002aaaaad063c7 in easy_transfer (multi=0x656998) at easy.c:606
#8  0x00002aaaaad065f0 in easy_perform (data=0x657d48, events=false) at easy.c:696
#9  0x00002aaaaad0663a in curl_easy_perform (data=0x657d48) at easy.c:715
#10 0x000000000041b446 in serial_transfers (global=0x7fffffffe180, share=0x653748) at tool_operate.c:2326
#11 0x000000000041b8ba in run_all_transfers (global=0x7fffffffe180, share=0x653748, result=CURLE_OK) at tool_operate.c:2504
#12 0x000000000041bbdc in operate (global=0x7fffffffe180, argc=4, argv=0x7fffffffe2e8) at tool_operate.c:2620
#13 0x0000000000411efc in main (argc=4, argv=0x7fffffffe2e8) at tool_main.c:277

frame #2 process_ingress() passed qs->conn to quiche's method quiche_conn_on_timeout()
and the qs is from conn->hequic, but both quicsocket in conn->hequic is invalid

(gdb) frame 3
#3  0x00002aaaaad79c47 in Curl_quic_is_connected (data=0x657d48, conn=0x656d78, sockindex=0, done=0x7fffffffddc7) at vquic/quiche.c:336
336	  result = process_ingress(data, sockfd, qs);
(gdb) p conn->hequic
$1 = {{cfg = 0x0, conn = 0x0, h3c = 0x0, h3config = 0x0, scid = "+\n\006E\353s\342\004\362\235N\306\362\266\063\353\260\177\311p", sockfd = 9, version = 0}, {cfg = 0x0,
    conn = 0x0, h3c = 0x0, h3config = 0x0, scid = '\000' <repeats 19 times>, sockfd = 0, version = 0}}

curl/libcurl version

curl 7.75.0 (x86_64-pc-linux-gnu) libcurl/7.75.0 BoringSSL zlib/1.2.7 quiche/0.6.0
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS Debug HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TrackMemory UnixSockets

operating system

Linux centos7.virtual 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

@bagder
Copy link
Member

@bagder bagder commented Feb 26, 2021

I tried it with current curl in git with current quiche from git (0.7.0) and I can reproduce a crash, even if I seem to get a slightly different stack trace.

@bagder
Copy link
Member

@bagder bagder commented Feb 26, 2021

I ran into issues when I tried to rebuild quiche and now I can't do it anymore. I've filed an issue over there cloudflare/quiche#863 and will come back here once I can build quiche again! 😢

@bagder bagder self-assigned this Mar 8, 2021
bagder added a commit that referenced this issue Mar 8, 2021
Reported-by: ウさん
Fixes #6664
@bagder bagder closed this in ec549aa Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants