search

JoeDog / siege

Siege is an http load tester and benchmarking utility
GNU General Public License v3.0
5.9k stars 386 forks source link

Segmentation fault on cookie_get_domain() #223

Open Magentron opened 1 year ago

Magentron commented 1 year ago

Environment:

Output:

...
HTTP/1.1 200     3.08 secs:   26002 bytes ==> GET  /url
HTTP/1.1 200     3.24 secs:   25953 bytes ==> GET  /url

Trace:

(gdb)  run -v -R siege/dev.conf -f siege/urls-dev.txt --header "X-Some-Header: value"
...
Thread 10 "siege" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xffff8d6cf120 (LWP 136)]
cookies_header.isra.0 (this=0x0, host=0xaaaac64d9d90 "www.website.com", newton=0x0, newton@entry=0xffff8d6cb500 "") at ./src/cookies.c:193
193     const char *domainptr = cookie_get_domain(cur->cookie);
(gdb) bt
#0  cookies_header.isra.0 (this=0x0, host=0xaaaac64d9d90 "www.website.com", newton=0x0, newton@entry=0xffff8d6cb500 "") at ./src/cookies.c:193
#1  0x0000aaaabbfbf1f8 in http_get (C=0xffff34000b70, U=0xaaaac64d7e80) at ./src/http.c:165
#2  0x0000aaaabbfc2824 in __http (this=this@entry=0xaaaac64d9f10, U=0xaaaac64d7e80) at ./src/browser.c:481
#3  0x0000aaaabbfc3244 in __request (U=<optimized out>, this=0xaaaac64d9f10) at ./src/browser.c:406
#4  start (this=0xaaaac64d9f10) at ./src/browser.c:295
#5  0x0000aaaabbfba4c4 in crew_thread (crew=0xaaaac64dac80) at ./src/crew.c:141
#6  0x0000ffff917cd5c8 in start_thread (arg=0x0) at ./nptl/pthread_create.c:442
#7  0x0000ffff91835d1c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:79
(gdb) print cur
$1 = (NODE *) 0xffff740691c0
(gdb) print cur->cookie
$2 = (COOKIE) 0x0
(gdb)
JoeDog commented 1 year ago

The latest version is 4.1.7

https://github.com/JoeDog/siege/tree/master

On Tue, Jun 20, 2023 at 2:27 PM Jeroen Derks @.***> wrote:

Environment:

  • Ubuntu 22.04.2 LTS
  • Siege 4.0.7

Output:

... HTTP/1.1 200 3.08 secs: 26002 bytes ==> GET /url HTTP/1.1 200 3.24 secs: 25953 bytes ==> GET /url

Trace:

(gdb) run -v -R siege/dev.conf -f siege/urls-dev.txt --header "X-Some-Header: value" ... Thread 10 "siege" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xffff8d6cf120 (LWP 136)] cookies_header.isra.0 (this=0x0, host=0xaaaac64d9d90 "www.website.com", newton=0x0, @.**=0xffff8d6cb500 "") at ./src/cookies.c:193 193 const char domainptr = cookie_get_domain(cur->cookie); (gdb) bt

0 cookies_header.isra.0 (this=0x0, host=0xaaaac64d9d90 "www.website.com", newton=0x0, @.***=0xffff8d6cb500 "") at ./src/cookies.c:193

1 0x0000aaaabbfbf1f8 in http_get (C=0xffff34000b70, U=0xaaaac64d7e80) at ./src/http.c:165

2 0x0000aaaabbfc2824 in __http @.***=0xaaaac64d9f10, U=0xaaaac64d7e80) at ./src/browser.c:481

3 0x0000aaaabbfc3244 in __request (U=, this=0xaaaac64d9f10) at ./src/browser.c:406

4 start (this=0xaaaac64d9f10) at ./src/browser.c:295

5 0x0000aaaabbfba4c4 in crew_thread (crew=0xaaaac64dac80) at ./src/crew.c:141

6 0x0000ffff917cd5c8 in start_thread (arg=0x0) at ./nptl/pthread_create.c:442

7 0x0000ffff91835d1c in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:79

(gdb) print cur $1 = (NODE *) 0xffff740691c0 (gdb) print cur->cookie $2 = (COOKIE) 0x0 (gdb)

— Reply to this email directly, view it on GitHub https://github.com/JoeDog/siege/issues/223, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJRHZS3AZYE5XISCBGB64TXMHTPTANCNFSM6AAAAAAZNVMJAA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Jeff Fulmer 1-717-799-8226 https://www.joedog.org/ He codes

Magentron commented 1 year ago

FYI: I generated the report on an Ubuntu docker instance after having had a segmentation fault on 4.1.7 on my mac with the same command line arguments, but don't have a working gdb on the mac itself.

Now looking at the current version of that file and the diff on src/cookie.c:163 (and other parts of the code) it uses this check in cookie_get_domain():

if (this == NULL && this->domain == NULL)

This is incorrect, if the first part of the expression this == NULL is true, then it should not check the second part of the expression this->domain == NULL since this is then NULL and upon execution will cause a segmentation fault due to NULL dereferencing. So it should be (there and everywhere else):

if (this == NULL || this->domain == NULL)

JoeDog commented 1 year ago

That makes sense. I'll correct it.

On Tue, Jun 20, 2023 at 4:01 PM Jeroen Derks @.***> wrote:

FYI: I generated the report on an Ubuntu docker instance after having had a segmentation fault on 4.1.7 on my mac with the same command line arguments, but don't have a working gdb on the mac itself.

Now looking at the current version of that file and the diff on src/cookie.c:163 https://github.com/JoeDog/siege/compare/fc899df9c6f2d4c6833b85d937033b29a4c7c4d9..master#diff-41f754f41173c211d6ab331743f380d9d71834780af36c1723d939bfdbd4ee2aR163 (and other parts of the code) it uses this check in cookie_get_domain():

if (this == NULL && this->domain == NULL)

This is incorrect, if the first part of the expression this == NULL is true, then it should not check the second part of the expression this->domain == NULL since this is then NULL and upon execution will cause a segmentation fault due to NULL dereferencing. So it should be (there and everywhere else):

if (this == NULL || this->domain == NULL)

— Reply to this email directly, view it on GitHub https://github.com/JoeDog/siege/issues/223#issuecomment-1599421725, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJRHZRFNX57EUF6P5KVZYDXMH6QVANCNFSM6AAAAAAZNVMJAA . You are receiving this because you commented.Message ID: @.***>

-- Jeff Fulmer 1-717-799-8226 https://www.joedog.org/ He codes

JoeDog commented 1 year ago

I pushed out version 4.1.7-b4. Could you test it?

On Tue, Jun 20, 2023 at 4:01 PM Jeroen Derks @.***> wrote:

FYI: I generated the report on an Ubuntu docker instance after having had a segmentation fault on 4.1.7 on my mac with the same command line arguments, but don't have a working gdb on the mac itself.

Now looking at the current version of that file and the diff on src/cookie.c:163 https://github.com/JoeDog/siege/compare/fc899df9c6f2d4c6833b85d937033b29a4c7c4d9..master#diff-41f754f41173c211d6ab331743f380d9d71834780af36c1723d939bfdbd4ee2aR163 (and other parts of the code) it uses this check in cookie_get_domain():

if (this == NULL && this->domain == NULL)

This is incorrect, if the first part of the expression this == NULL is true, then it should not check the second part of the expression this->domain == NULL since this is then NULL and upon execution will cause a segmentation fault due to NULL dereferencing. So it should be (there and everywhere else):

if (this == NULL || this->domain == NULL)

— Reply to this email directly, view it on GitHub https://github.com/JoeDog/siege/issues/223#issuecomment-1599421725, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJRHZRFNX57EUF6P5KVZYDXMH6QVANCNFSM6AAAAAAZNVMJAA . You are receiving this because you commented.Message ID: @.***>

-- Jeff Fulmer 1-717-799-8226 https://www.joedog.org/ He codes

Magentron commented 1 year ago

I have compiled it locally on my mac, still got a segfault, but as I said cannot debug here. I will try tomorrow.

JoeDog commented 1 year ago

Ok, let me know.

On Tue, Jun 20, 2023 at 4:48 PM Jeroen Derks @.***> wrote:

I have compiled it locally on my mac, still got a segfault, but as I said cannot debug here. I will try tomorrow.

— Reply to this email directly, view it on GitHub https://github.com/JoeDog/siege/issues/223#issuecomment-1599473547, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJRHZRXAQNR3G7IOSHP3FDXMIEB3ANCNFSM6AAAAAAZNVMJAA . You are receiving this because you commented.Message ID: @.***>

-- Jeff Fulmer 1-717-799-8226 https://www.joedog.org/ He codes