[Bug 59897] New: Buffer Overflow in FD_SET in nb_connect (jk_connect.c) leading to apache2 crash
https://bz.apache.org/bugzilla/show_bug.cgi?id=59897
Bug ID: 59897
Summary: Buffer Overflow in FD_SET in nb_connect (jk_connect.c)
leading to apache2 crash
Product: Tomcat Connectors
Version: 1.2.41
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_jk
Assignee: dev@tomcat.apache.org
Reporter: mdie...@mdiener.de
mod_jk occasionally crashes Apache because due to a buffer overflow.
mod_jk 1.2.41 (happens also for 1.2.37)
Apache 2.4.7
Tomcat 6.0.39
Java 1.6.0_45 x86
Linux Ubuntu 14.04 x64 (3.13.0-91-generic)
Here is the error log from Apache:
buffer overflow detected ***: /usr/sbin/apache2 terminated===
Backtrace:
=/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7fe9aa7de29f]/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fe9aa875bbc]/lib/x86_64-linux-gnu/libc.so.6(+0x109a90)[0x7fe9aa874a90]/lib/x86_64-linux-gnu/libc.so.6(+0x10ab07)[0x7fe9aa875b07]/usr/lib/apache2/modules/mod_jk.so(jk_open_socket+0x8d8)[0x7fe9a7c60cb8]/usr/lib/apache2/modules/mod_jk.so(ajp_connect_to_endpoint+0x65)[0x7fe9a7c7bf75]/usr/lib/apache2/modules/mod_jk.so(+0x36422)[0x7fe9a7c7d422]/usr/lib/apache2/modules/mod_jk.so(+0x1674c)[0x7fe9a7c5d74c]/usr/sbin/apache2(ap_run_handler+0x40)[0x7fe9ab65fbe0]/usr/sbin/apache2(ap_invoke_handler+0x69)[0x7fe9ab660129]/usr/sbin/apache2(ap_process_async_request+0x20a)[0x7fe9ab6756ca]/usr/sbin/apache2(+0x69500)[0x7fe9ab672500]/usr/sbin/apache2(ap_run_process_connection+0x40)[0x7fe9ab669220]/usr/lib/apache2/modules/mod_mpm_event.so(+0x681b)[0x7fe9a783981b]/lib/x86_64-linux-gnu/libpthread.so.0(+0x8184)[0x7fe9aab38184]/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7fe9aa86537d]*
=== Memory map:
7fe68800-7fe68806a000 rw-p 00:00 0
7fe68806a000-7fe68c00 ---p 00:00 0
...
7fffa6c27000-7fffa6c48000 rw-p 00:00 0 [stack]
7fffa6c86000-7fffa6c88000 r-xp 00:00 0 [vdso]
ff60-ff601000 r-xp 00:00 0 [vsyscall]
[Wed Jun 29 05:01:50.052325 2016] [core:notice] [pid 1747:tid
140641581987712] AH00051: child pid 17018 exit signal Aborted (6), possible
coredump in /etc/apache2
I was able to trace it down to the method nb_connect in jk_connect.c. In
version 1.2.41 the issue is line 291:
280> do {
281>rc = connect(sd, (const struct sockaddr *)&addr->sa.sin,
addr->salen);
282>} while (rc == -1 && errno == EINTR);
283>
284>if ((rc == -1) && (errno == EINPROGRESS || errno == EALREADY)
285> && (timeout > 0)) {
286>fd_set wfdset;
287>struct timeval tv;
288>socklen_t rclen = (socklen_t)sizeof(rc);
289>
290>FD_ZERO(&wfdset);
*291>FD_SET(sd, &wfdset);*
292>tv.tv_sec = timeout / 1000;
293>tv.tv_usec = (timeout % 1000) * 1000;
294>rc = select(sd + 1, NULL, &wfdset, NULL, &tv);
>From what I understand a buffer overflow would only happen for FD_SET if
the fd_set gets over 1024 descriptors. I made sure that my ulimit for open
files is set and applied large enough, so that's not it.
I tried to switch FD_SET to poll and it seems to work now also for sd greater
than
1024:
struct pollfd pfd_read;
pfd_read.fd = sd;
pfd_read.events = POLLOUT;
rc = poll(&pfd_read, 1, timeout);
This would be a possible fix for the problem - at least it works fine in my
setup.
Also, poll() already seems to be used somewhere else in this particular source
file, so no extra import necessary.
Here more configuration files:
/etc/libapache2-mod-jk/httpd-jk.conf
JkWorkersFile /etc/libapache2-mod-jk/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel warn
JkShmFile /var/log/apache2/jk-runtime-status
/etc/libapache2-mod-jk/workers.properties
workers.tomcat_home=/usr/share/tomcat6
workers.java_home=/usr/lib/jvm/java-6-sun
ps=/
worker.list=loadbalancer
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=ajp13_worker,ajp13_worker2
worker.loadbalancer.sticky_session=0
worker.ajp13_worker.port=xxx
worker.ajp13_worker.host=localhost
worker.ajp13_worker.type=ajp13
worker.ajp13_worker.ping_mode=A
worker.ajp13_worker.secret=xxx
worker.ajp13_worker.fail_on_status=503
worker.ajp13_worker.connection_pool_size=32768
worker.ajp13_worker.redirect=ajp13_worker2
worker.ajp13_worker2.port=xxx
worker.ajp13_worker2.host=otherhost
worker.ajp13_worker2.type=ajp13
worker.ajp13_worker2.ping_mode=A
worker.ajp13_worker2.secret=xxx
worker.ajp13_worker2.fail_on_status=503
worker.ajp13_worker2.connection_pool_size=32768
worker.ajp13_worker2.activation=disabled
/etc/tomcat6/server.xml
Apache mpm_event:
StartServers 2
ServerLimit 16
MinSpareThreads 256
MaxSpareThreads 1280
ThreadLimit 1024
ThreadsPe
[Bug 59897] Buffer Overflow in FD_SET in nb_connect (jk_connect.c) leading to apache2 crash
https://bz.apache.org/bugzilla/show_bug.cgi?id=59897 --- Comment #1 from Michael Diener --- One more thing to add, although Apache mpm_event is used, most connections are via SSL, so AFAIK it should behave like mpm_worker. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59115] Part#getSubmittedFileName doesn't work corretly with double quotes in filenames.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59115 Konstantin Kolinko changed: What|Removed |Added Resolution|FIXED |--- Status|RESOLVED|REOPENED --- Comment #11 from Konstantin Kolinko --- This needs further investigation. Using RFC 6266 is an error: it defines a response header, not a request one. Section "1. Introduction" of RFC 6266 has the following note: Note: This document does not apply to Content-Disposition header fields appearing in payload bodies transmitted over HTTP, such as when using the media type "multipart/form-data" ([RFC2388]). Links: https://tools.ietf.org/html/rfc6266 https://tools.ietf.org/html/rfc2388 (Obsoleted by: 7578) https://tools.ietf.org/html/rfc7578 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59899] New: Tomcat-embed-core brings outdated JPA API
https://bz.apache.org/bugzilla/show_bug.cgi?id=59899 Bug ID: 59899 Summary: Tomcat-embed-core brings outdated JPA API Product: Tomcat 8 Version: 8.5.4 Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Packaging Assignee: dev@tomcat.apache.org Reporter: stephane.nic...@gmail.com I just noticed that `tomcat-embed-core` brings an outdated JPA API. Spring Framework 5 requires JPA 2.1 now and unless I order the classpath in a certain way, my app breaks when deployed in embedded tomcat because of this. Would it be possible to upgrade the JPA API that Tomcat brings? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59899] Tomcat-embed-core brings outdated JPA API
https://bz.apache.org/bugzilla/show_bug.cgi?id=59899 --- Comment #1 from Mark Thomas --- Hmm. We have a sub-set of the JPA annotations so we can do resource injection. It would be better if we could remove that dependency entirely. I wonder if that is possible. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57830] Add support for ProxyProtocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 bon...@gmail.com changed: What|Removed |Added CC||bon...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of "SupportAndTraining" by GregTrasuk
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "SupportAndTraining" page has been changed by GregTrasuk:
https://wiki.apache.org/tomcat/SupportAndTraining?action=diff&rev1=47&rev2=48
Comment:
Add Web Age Solutions to training provider listings.
Rogue Wave [[http://www.roguewave.com/|Roguewave Tomcat Support]] / OpenLogic
[[http://www.openlogic.com/|Roguewave Tomcat Support]] offers a comprehensive
week-long instructor-led training program for developers and admins. Rogue Wave
OpenLogic also provides Architecture and Design Consulting, and a Developer
Support contract to assist in the development of web applications.
+
[[http://www.webagesolutions.com/index.html|{{http://www.webagesolutions.com/img/web-age-solutions.png|http://www.webagesolutions.com}}]]
+
+ Web Age Solutions offers
[[http://www.webagesolutions.com/courses/servers-operating-systems-training|Apache
Tomcat training and mentoring]] on-site in the US, Canada and worldwide, at a
training center, in a Live Virtual Class, or through our subscription-based
video library.
+
=== Example company name ===
Use this example as a basis for your entry. New entries should be added just
above this example.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
