timeout handler / segfaults

timeout handler / segfaults

am 17.08.2005 05:58:22 von lusky

I found a couple of messages about this in the archives, but I don't see any
responses. It looks like the sigalarm timeout handler is getting called
while SSL is blocked in write(), the SSL context is free()'d in the timeout
handler, and finally when the handler returns to where we were blocked,
openssl is referencing the SSL context that was already free()'d. Maybe I'm
missing something, but it seems like this should be causing a segfault
anytime an Apache timeout occurs while writing to an SSL socket.


==30422== Invalid read of size 4
==30422== at 0x1BA3C781: sock_write (bss_sock.c:226)
==30422== by 0x1BA3A90D: BIO_write (bio_lib.c:200)
==30422== by 0x1B9CB94A: ssl3_write_pending (s3_pkt.c:696)
==30422== by 0x1B9CB5BD: ssl3_write_bytes (s3_pkt.c:541)
==30422== by 0x1B9C9743: ssl3_write (s3_lib.c:1299)
==30422== by 0x1B9D1AAB: SSL_write (ssl_lib.c:756)
==30422== by 0x8081031: ssl_io_hook_write (ssl_engine_io.c:384)
==30422== by 0x80B983E: ap_hook_call_func (ap_hook.c:721)
==30422== by 0x80B945F: ap_hook_call (ap_hook.c:382)
==30422== by 0x8094B73: ap_write (buff.c:318)
==30422== by 0x8095913: write_with_errors (buff.c:365)
==30422== by 0x80959C6: bcwrite (buff.c:1170)
==30422== Address 0x1BB6CBAC is 20 bytes inside a block of size 64 free'd
==30422== at 0x1B9019D9: free (vg_replace_malloc.c:152)
==30422== by 0x1BA0AF7C: CRYPTO_free (mem.c:254)
==30422== by 0x1BA3A6B6: BIO_free (bio_lib.c:136)
==30422== by 0x1BA3B09F: BIO_free_all (bio_lib.c:456)
==30422== by 0x1B9D0F74: SSL_free (ssl_lib.c:354)
==30422== by 0x807DF8D: ssl_hook_CloseConnection
(ssl_engine_kernel.c:533)
==30422== by 0x809FC34: ap_call_close_connection_hook (http_main.c:460)
==30422== by 0x80A071F: timeout (http_main.c:1584)
==30422== by 0x80A0912: alrm_handler (http_main.c:1646)
==30422== by 0x1B91574D: __pthread_sighandler (in
/lib/i686/libpthread-0.10.so)
==30422== by 0x42028557: (within /lib/i686/libc-2.3.2.so)
==30422== by 0x1BA3A90D: BIO_write (bio_lib.c:200)



(gdb) break http_main.c:1584
Breakpoint 1 at 0x80a0712: file http_main.c, line 1584.
(gdb) cont
Continuing.
[Switching to Thread 16384 (LWP 32750)]

Breakpoint 1, timeout (sig=14) at http_main.c:1584
1584 http_main.c: No such file or directory.
in http_main.c
(gdb) bt
#0 timeout (sig=14) at http_main.c:1584
#1 0x080a0913 in alrm_handler (sig=0) at http_main.c:1646
#2 0x4002374e in __pthread_sighandler () from /lib/i686/libpthread.so.0
#3
#4 0x400238a8 in write () from /lib/i686/libpthread.so.0
#5 0x401b7548 in __JCR_LIST__ () from /lib/libcrypto.so.2
#6 0x4014290e in BIO_write (b=0xbfffc138, in=0x81eef50, inl=8221)
at bio_lib.c:200
#7 0x400d694b in ssl3_write_pending (s=0xbfffc0bc, type=0, buf=0x0,
len=8192)
at s3_pkt.c:696
#8 0x400d65be in ssl3_write_bytes (s=0x8173970, type=23, buf_=0xbfffc670,
len=0) at s3_pkt.c:541
#9 0x400d4744 in ssl3_write (s=0x2000, buf=0x0, len=8192) at s3_lib.c:1299
#10 0x400dcaac in SSL_write (s=0x1, buf=0x1, num=1) at ssl_lib.c:756
#11 0x08081032 in ssl_io_hook_write (fb=0x2000,
buf=0xbfffc670 "m"..., len=8192)
at ssl_engine_io.c:384
#12 0x080b983f in ap_hook_call_func (ap=0x0, he=0x80ed888, hf=0x42138c90)
at ap_hook.c:721
#13 0x080b9460 in ap_hook_call (hook=0x0) at ap_hook.c:382
#14 0x08094b74 in ap_write (fb=0x80ed888, buf=0x0, nbyte=8192) at buff.c:318
#15 0x08095914 in write_with_errors (fb=0x80ed888, buf=0xbfffc670, nbyte=0)
at buff.c:365
#16 0x080959c7 in bcwrite (fb=0x8107e68, buf=0xbfffc670, nbyte=8192)
at buff.c:1170
#17 0x08095d2b in ap_bwrite (fb=0x8107e68, buf=0xbfffc670, nbyte=8192)
at buff.c:1384
#18 0x080a8e11 in ap_send_fd_length (f=0x81f57a0, r=0x81c6b78,
length=85684453)
at http_protocol.c:2386
#19 0x0809e7fa in default_handler (r=0x2000) at http_core.c:4196
#20 0x08096ba9 in ap_invoke_handler (r=0x81c6b78) at http_config.c:487
#21 0x080abbd4 in process_request_internal (r=0x81c6b78) at
http_request.c:1298
#22 0x080abe2b in ap_process_request (r=0x81c6b78) at http_request.c:1314
#23 0x080a395e in child_main (child_num_arg=0) at http_main.c:4872
#24 0x080a3b57 in make_child (s=0x0, slot=0, now=0) at http_main.c:5051
#25 0x080a3cad in startup_children (number_to_start=1) at http_main.c:5078
#26 0x080a48db in standalone_main (argc=2, argv=0xbfffe9b4) at
http_main.c:5410
#27 0x080a4c70 in main (argc=2, argv=0xbfffe9b4) at http_main.c:5767
#28 0x420158f7 in __libc_start_main () from /lib/i686/libc.so.6
(gdb)


(gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x400d6950 in ssl3_write_pending (s=0x8173970, type=0, buf=0x0, len=8192)
at s3_pkt.c:705
705 s3_pkt.c: No such file or directory.
in s3_pkt.c
(gdb) bt
#0 0x400d6950 in ssl3_write_pending (s=0x8173970, type=0, buf=0x0,
len=8192)
at s3_pkt.c:705
#1 0x400d65be in ssl3_write_bytes (s=0x8173970, type=23, buf_=0xbfffc670,
len=0) at s3_pkt.c:541
#2 0x400d4744 in ssl3_write (s=0x2000, buf=0x0, len=8192) at s3_lib.c:1299
#3 0x400dcaac in SSL_write (s=0x201d, buf=0x201d, num=8221) at
ssl_lib.c:756
#4 0x08081032 in ssl_io_hook_write (fb=0x2000,
buf=0xbfffc670 "m"..., len=8192)
at ssl_engine_io.c:384
#5 0x080b983f in ap_hook_call_func (ap=0x0, he=0x80ed888, hf=0x106b)
at ap_hook.c:721
#6 0x080b9460 in ap_hook_call (hook=0x0) at ap_hook.c:382
#7 0x08094b74 in ap_write (fb=0x80ed888, buf=0x0, nbyte=8192) at buff.c:318
#8 0x08095914 in write_with_errors (fb=0x80ed888, buf=0xbfffc670, nbyte=0)
at buff.c:365
#9 0x080959c7 in bcwrite (fb=0x8107e68, buf=0xbfffc670, nbyte=8192)
at buff.c:1170
#10 0x08095d2b in ap_bwrite (fb=0x8107e68, buf=0xbfffc670, nbyte=8192)
at buff.c:1384
#11 0x080a8e11 in ap_send_fd_length (f=0x81f57a0, r=0x81c6b78,
length=85684453)
at http_protocol.c:2386
#12 0x0809e7fa in default_handler (r=0x2000) at http_core.c:4196
#13 0x08096ba9 in ap_invoke_handler (r=0x81c6b78) at http_config.c:487
#14 0x080abbd4 in process_request_internal (r=0x81c6b78) at
http_request.c:1298
#15 0x080abe2b in ap_process_request (r=0x81c6b78) at http_request.c:1314
#16 0x080a395e in child_main (child_num_arg=0) at http_main.c:4872
#17 0x080a3b57 in make_child (s=0x0, slot=0, now=0) at http_main.c:5051
#18 0x080a3cad in startup_children (number_to_start=1) at http_main.c:5078
#19 0x080a48db in standalone_main (argc=2, argv=0xbfffe9b4) at
http_main.c:5410
#20 0x080a4c70 in main (argc=2, argv=0xbfffe9b4) at http_main.c:5767
#21 0x420158f7 in __libc_start_main () from /lib/i686/libc.so.6
(gdb)

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org