Processing an HTTP/1.1 TRACE request causes an Abort

[wmetcalf]

sending the following HTTP/1.0 TRACE request produces the expected result

./ironbee_test.py --local-apache --one-shot="TRACE / HTTP/1.0\r\nHost: foo\r\n\r\n"

However sending a HTTP/1.1 TRACE request results in an abort.

./ironbee_test.py --local-apache --one-shot="TRACE / HTTP/1.1\r\nHost: foo\r\n\r\n" results in:

entry from error.log

apache2: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char ) &((av)->bins[((1) - 1) * 2])) - builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 \ (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed. [Tue Jun 14 16:52:20 2011] [debug] mod_ironbee.c(270): IronBee: Child exit pid=21844 [Tue Jun 14 16:52:20 2011] [debug] mod_ironbee.c(270): IronBee: Child exit pid=21843 [Tue Jun 14 16:52:20 2011] [debug] mod_ironbee.c(270): IronBee: Child exit pid=21926 [Tue Jun 14 16:52:20 2011] [info] removed PID file /home/coz/workspace2/waf-qa/server_root/lo

bt

gdb apache2 server_root/tmp/core GNU gdb (GDB) 7.1-ubuntu Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/apache2...done. [New Thread 21846] [New Thread 21855] [New Thread 21858] [New Thread 21894] [New Thread 21842] [New Thread 21872] [New Thread 21853] [New Thread 21917] [New Thread 21848] [New Thread 21878] [New Thread 21861] [New Thread 21891] [New Thread 21867] [New Thread 21850] [New Thread 21864] [New Thread 21882] [New Thread 21921] [New Thread 21910] [New Thread 21869] [New Thread 21913] [New Thread 21875] [New Thread 21885] [New Thread 21905] [New Thread 21888] [New Thread 21896] [New Thread 21903] [New Thread 21900]

warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib/libpcre.so.3...Reading symbols from /usr/lib/debug/lib/libpcre.so.3.12.1...done. done. Loaded symbols for /lib/libpcre.so.3 Reading symbols from /usr/lib/libaprutil-1.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libaprutil-1.so.0 Reading symbols from /usr/lib/libapr-1.so.0...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libapr-1.so.0 Reading symbols from /lib/libpthread.so.0...Reading symbols from /usr/lib/debug/lib/libpthread-2.11.1.so...done. done. Loaded symbols for /lib/libpthread.so.0 Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.1.so...done. done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/libuuid.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libuuid.so.1 Reading symbols from /lib/librt.so.1...Reading symbols from /usr/lib/debug/lib/librt-2.11.1.so...done. done. Loaded symbols for /lib/librt.so.1 Reading symbols from /lib/libcrypt.so.1...Reading symbols from /usr/lib/debug/lib/libcrypt-2.11.1.so...done. done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /lib/libdl.so.2...Reading symbols from /usr/lib/debug/lib/libdl-2.11.1.so...done. done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libexpat.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libexpat.so.1 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.1.so...done. done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 Reading symbols from /lib/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib/libnss_files-2.11.1.so...done. done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /usr/lib/apache2/modules/mod_proxy.so...(no debugging symbols found)...done. Loaded symbols for /usr/lib/apache2/modules/mod_proxy.so Reading symbols from /usr/lib/apache2/modules/mod_proxy_http.so...(no debugging symbols found)...done. Loaded symbols for /usr/lib/apache2/modules/mod_proxy_http.so Reading symbols from /usr/lib/apache2/modules/mod_unique_id.so...(no debugging symbols found)...done. Loaded symbols for /usr/lib/apache2/modules/mod_unique_id.so Reading symbols from /usr/lib/libxml2.so...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libxml2.so Reading symbols from /lib/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libz.so.1 Reading symbols from /lib/libm.so.6...Reading symbols from /usr/lib/debug/lib/libm-2.11.1.so...done. done. Loaded symbols for /lib/libm.so.6 Reading symbols from /usr/local/lib/libhtp.so...done. Loaded symbols for /usr/local/lib/libhtp.so Reading symbols from /usr/local/ironbee/lib/mod_ironbee.so...done. Loaded symbols for /usr/local/ironbee/lib/mod_ironbee.so Reading symbols from /usr/lib/libdb-4.8.so...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libdb-4.8.so Reading symbols from /usr/local/ironbee/lib/libironbee.so.0...done. Loaded symbols for /usr/local/ironbee/lib/libironbee.so.0 Reading symbols from /usr/local/ironbee/lib/libibutil.so.0...done. Loaded symbols for /usr/local/ironbee/lib/libibutil.so.0 Reading symbols from /usr/local/ironbee/lib/ibmod_pcre.so...done. Loaded symbols for /usr/local/ironbee/lib/ibmod_pcre.so Reading symbols from /usr/local/ironbee/lib/ibmod_htp.so...done. Loaded symbols for /usr/local/ironbee/lib/ibmod_htp.so Reading symbols from /usr/local/ironbee/lib/ibmod_poc_sig.so...done. Loaded symbols for /usr/local/ironbee/lib/ibmod_poc_sig.so Reading symbols from /usr/local/ironbee/lib/ibmod_lua.so...done. Loaded symbols for /usr/local/ironbee/lib/ibmod_lua.so Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libgcc_s.so.1 Core was generated by `apache2 -d /home/coz/workspace2/waf-qa/server_root -f /home/coz/workspace2/waf-'. Program terminated with signal 6, Aborted.

0 0x00007f8172499a75 in *__GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64

64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/raise.c (gdb) bt full

0 0x00007f8172499a75 in *__GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64

    pid = <value optimized out>
    selftid = <value optimized out>

1 0x00007f817249d5c0 in *__GI_abort () at abort.c:92

    act = {__sigaction_handler = {sa_handler = 0x7f81727e4e98 <main_arena+88>, sa_sigaction = 0x7f81727e4e98 <main_arena+88>}, sa_mask = {__val = {140193946074784, 140193885201184, 48, 140193885201424, 140193945145574, 
          206158430256, 140193885201464, 140193885201216, 140193981182592, 140193981182697, 0, 140733710881996, 140193946061562, 140193946065247, 3096, 19133042704}}, sa_flags = 1953202304, 
      sa_restorer = 0x7f8170250000 <core_dir_site_start+208>}
    sigs = {__val = {32, 0 <repeats 15 times>}}

2 0x00007f81724e1214 in __malloc_assert (av=0x7f81727e4e40, bytes=568) at malloc.c:352

No locals.

3 _int_malloc (av=0x7f81727e4e40, bytes=568) at malloc.c:4480

    nb = 140193946079344
    idx = <value optimized out>
    bin = <value optimized out>
    victim = 0x7f81727e4e98
    size = 48
    victim_index = <value optimized out>
    remainder = <value optimized out>
    remainder_size = <value optimized out>
    block = <value optimized out>
    bit = <value optimized out>
    map = <value optimized out>
    fwd = <value optimized out>
    bck = <value optimized out>
    errstr = <value optimized out>
    __func__ = "_int_malloc"

4 0x00007f81724e258e in *__GI___libc_malloc (bytes=568) at malloc.c:3660

    ar_ptr = 0x7f81727e4e40
    victim = <value optimized out>
    __func__ = "__libc_malloc"

5 0x00007f81724ce4cb in __fopen_internal (filename=0x7f817472b280 "/home/coz/workspace2/waf-qa/server_root/logs/audit/20110614/2152/4df7d814-1aa8-4588-8fff-555298765432.log", mode=0x5556 <Address 0x5556 out of bounds>, is32=6)

at ../sysdeps/wordsize-64/../../libio/iofopen.c:76

No locals.

6 0x00007f817025162e in core_audit_open (lpi=, log=0x7f8174723440) at core.c:345

    dtmp = "20110614/2152\000\000\000\340'\272n\201\177\000\000@\rkt\201\177\000"
    dn = "/home/coz/workspace2/waf-qa/server_root/logs/audit/20110614/2152\000\000\000\000\000\000\000\000\311q%p\201\177\000\000k\257rt\201\177\000\000`7Vr\201\177\000\000\001\200\255\373\000\000\000\000k\257rt\201\177\000\000k\257rt\201\177\000\000k\257rt\201\177\000\000k\257rt\201\177\000\000q\257rt\201\177\000\000v\257rt\201\177\000\000k\257rt\201\177\000\000v\257rt\201\177", '\000' <repeats 46 times>, "\004\000\000\000\t\000\000\000\000\000\000\000\000\000~r\201\177\000\000\000\000\000\000\000\000\000\000\370\036rt\004\000\000\000\340\034Pr\201\177\000\000\060 ", '\000' <repeats 14 times>"\240"...
    tm = <value optimized out>
    ret = <value optimized out>
    cfg = 0x7f81747234a0
    corecfg = 0x7f81746bc3e8
    rc = <value optimized out>
    fnsize = <value optimized out>
    fn = <value optimized out>
    ec = <value optimized out>

7 0x00007f8170251730 in audit_api_write_log (lpi=0x7f81746c3060) at core.c:903

    log = 0x7f8174723440
    node = <value optimized out>
    rc = <value optimized out>

8 0x00007f817024c5c3 in ib_clog_auditlog_write (ctx=0x7f81746bc0a0) at logger.c:520

    corecfg = 0x7f81746bc3e8
    pi = 0x5552
    rc = <value optimized out>

9 0x00007f8170253c25 in logevent_hook_postprocess (ib=0x7f81746b0040, tx=0x7f8174721e70, cbdata=) at core.c:2013

    log = <value optimized out>

---Type to continue, or q to quit--- corecfg = 0x7f81746bc3e8 audit = 0x7f81746c3060 events = 0x7f816f5c5de8 tv = {tv_sec = 1308088340, tv_usec = 11237} boundary = "6b8b4567-4df7d814-1aa8-4588-8fff-555298765432" rc =

10 0x00007f81702491ae in ib_state_notify (ib=0x7f81746b0040, event=, param=0x7f8174721e70) at engine.c:713

    hook = 0x7f81746b0e60
    rc = IB_OK

11 0x00007f817024921a in ib_state_notify_tx (ib=0x5552, event=21846, tx=0x6) at engine.c:876

    hook = <value optimized out>
    rc = <value optimized out>

12 0x00007f817024933a in ib_state_notify_response_finished (ib=0x7f81746b0040, tx=0x7f8174721e70) at engine.c:1433

    rc = IB_OK

13 0x00007f816fa28bb7 in modhtp_htp_response (connp=) at htp.c:670

    tx = 0x7f8174721280
    ib = 0x7f81746b0040

14 0x00007f81709d5853 in hook_run_all (hook=0x7f817471d0d0, data=0x7f81747137a0) at hooks.c:144

No locals.

15 0x00007f81709de24c in htp_connp_RES_IDLE (connp=0x7f81747137a0) at htp_response.c:725

    rc = <value optimized out>

16 0x00007f81709ddd19 in htp_connp_res_data (connp=0x7f81747137a0, timestamp=0x5556, data=0x6 <Address 0x6 out of bounds>, len=18446744073709551615) at htp_response.c:872

    rc = 0

17 0x00007f816fa2813b in modhtp_iface_data_out (pi=, qcdata=0x7f816eba2b90) at htp.c:933

    ib = 0x7f81746b0040
    iconn = <value optimized out>
    modctx = 0x7f81746c6348
    htp = 0x7f81747137a0
    rc = IB_OK
    tv = {tv_sec = 1308088340, tv_usec = 11110}
    ec = <value optimized out>

18 0x00007f81707cb807 in process_bucket (f=0x7f817470daf0, b=0x7f8174711b68) at mod_ironbee.c:225

    c = 0x7f817470d370
    icdata = {ib = 0x7f81746b0040, mp = 0x7f81746c60e8, conn = 0x7f81746c60f0, dalloc = 5, dlen = 5, data = 0x7f8173314e44 "0\r\n\r\n"}
    bdata = 0x0
    nbytes = 5
    rc = <value optimized out>

19 0x00007f81707cb8ab in ironbee_output_filter (f=0x7f817470daf0, bb=0x7f817471ec20) at mod_ironbee.c:709

    b = 0x7f8174711b68

20 0x00007f8173306e14 in ap_http_chunk_filter (f=, b=0x7f817471ec20) at /build/buildd/apache2-2.2.14/modules/http/chunk_filter.c:189

    bytes = 140193981125384
    eos = 0x7f8174711ac8
    flush = 0x7f816eba3700
    chunk_hdr = " \000\000\000\000\000\000\000\210\322qt\201\177\000\000H\353qt"
    c = 0x7f817470d370
    more = 0x0
    e = 0x7f8174711ac8
    rv = <value optimized out>

21 0x00007f81732e7ae0 in ap_content_length_filter (f=0x7f817471e768, b=0x7f817471ec20) at /build/buildd/apache2-2.2.14/server/protocol.c:1335

    r = 0x7f817471d308
    ctx = 0x7f817471e9e8
    e = 0x1
    eblock = 4294967295

22 0x00007f8173304560 in ap_process_request (r=0x7f817471d308) at /build/buildd/apache2-2.2.14/modules/http/http_request.c:292

    access_status = 0

23 0x00007f8173301498 in ap_process_http_connection (c=0x7f817470d370) at /build/buildd/apache2-2.2.14/modules/http/http_core.c:190

---Type to continue, or q to quit--- r = 0x7f817471d308 csd = 0x0

24 0x00007f81732faf38 in ap_run_process_connection (c=0x7f817470d370) at /build/buildd/apache2-2.2.14/server/connection.c:43

    n = 0
    rv = 0

25 0x00007f8173309e82 in process_socket (thd=, dummy=) at /build/buildd/apache2-2.2.14/server/mpm/worker/worker.c:544

    current_conn = <value optimized out>
    conn_id = <value optimized out>
    csd = 11
    sbh = 0x7f817470d368

26 worker_thread (thd=, dummy=) at /build/buildd/apache2-2.2.14/server/mpm/worker/worker.c:894

    process_slot = 0
    thread_slot = 0
    csd = 0x7f817470d158
    bucket_alloc = <value optimized out>
    last_ptrans = <value optimized out>
    ptrans = 0x7f817470d0d8
    rv = <value optimized out>
    is_idle = <value optimized out>

27 0x00007f8172a2feb3 in ?? () from /usr/lib/libapr-1.so.0

No symbol table info available.

28 0x00007f81727ef9ca in start_thread (arg=) at pthread_create.c:300

    __res = <value optimized out>
    pd = 0x7f816eba3700
    unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140193885206272, 8331452854070113607, 0, 0, 0, 0, -8314320773401316025, -8314312558771079865}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, 
          cleanup = 0x0, canceltype = 0}}}
    not_first_call = <value optimized out>
    robust = <value optimized out>
    freesize = <value optimized out>
    __PRETTY_FUNCTION__ = "start_thread"

29 0x00007f817254c70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

No locals.

30 0x0000000000000000 in ?? ()

No symbol table info available.

[ironbee]

This issue is fixed test added to QA sweet to detect regressions