Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 746404

Summary: www-servers/bozohttpd segmentation fault fix
Product: Gentoo Linux Reporter: Hadrien Lacour <hadrien.lacour>
Component: Current packagesAssignee: No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status: UNCONFIRMED ---    
Severity: normal CC: jstein, sam
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Hadrien Lacour 2020-10-04 00:09:07 UTC
Following https://bugs.gentoo.org/show_bug.cgi?id=746356, I noticed a reproducible segfault when loading a file then refreshing the page in my browser.

After investigation, this was due to these warnings:
bozohttpd.c: In function ‘parse_http_date’:
bozohttpd.c:957:19: warning: implicit declaration of function ‘strptime’; did you mean ‘strftime’? [-Wimplicit-function-declaration]
  957 |  if ((remainder = strptime(val, "%a, %d %b %Y %T GMT", &tm)) == NULL &&
      |                   ^~~~~~~~
      |                   strftime
bozohttpd.c:957:17: warning: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
  957 |  if ((remainder = strptime(val, "%a, %d %b %Y %T GMT", &tm)) == NULL &&
      |                 ^
bozohttpd.c:958:17: warning: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
  958 |      (remainder = strptime(val, "%a, %d-%b-%y %T GMT", &tm)) == NULL &&
      |                 ^
bozohttpd.c:959:17: warning: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
  959 |      (remainder = strptime(val, "%a %b %d %T %Y", &tm)) == NULL)
      |                 ^
bozohttpd.c: In function ‘bozoasprintf’:
bozohttpd.c:2053:6: warning: implicit declaration of function ‘vasprintf’; did you mean ‘vsprintf’? [-Wimplicit-function-declaration]
 2053 |  e = vasprintf(str, fmt, ap);
      |      ^~~~~~~~~
      |      vsprintf
daemon-bozo.c: In function ‘bozo_daemon_init’:
daemon-bozo.c:172:3: warning: ignoring return value of ‘daemon’, declared with attribute warn_unused_result [-Wunused-result]
  172 |   daemon(1, 0);
      |   ^~~~~~~~~~~~
ssl-bozo.c: In function ‘bozo_ssl_printf’:
ssl-bozo.c:170:16: warning: implicit declaration of function ‘vasprintf’; did you mean ‘vsprintf’? [-Wimplicit-function-declaration]
  170 |  if ((nbytes = vasprintf(&buf, fmt, ap)) != -1)  {
      |                ^~~~~~~~~
      |                vsprintf


How the application managed to link with strptime not being defined is quite curious (some C89 vs C99 thing?), but my debugging pointed to the return of that "function".

Here's the commit that solved it in my overlay:
    Need to add the following feature test macros:
    _XOPEN_SOURCE to avoid segfault at bozohttpd.c:962 when refreshing page after
    loading, due to bad strpftime definition
    _DEFAULT_SOURCE to allow compilation after _XOPEN_SOURCE was defined
    _GNU_SOURCE for vasprintf

    As _GNU_SOURCE defines "_XOPEN_SOURCE with the value 700 (600 in glibc versions
    before 2.10; 500 in glibc versions before 2.2)" and "since glibc 2.19, defining
    _GNU_SOURCE also has the effect of implicitly defining _DEFAULT_SOURCE", no
    need for the others.

diff --git a/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild b/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild
index 4aa2e95..8afeb77 100644
--- a/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild
+++ b/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild
@@ -26,7 +26,8 @@ src_prepare() {
 }

 src_compile() {
-       emake CC="$(tc-getCC)" OPT="${CFLAGS}" CPPFLAGS="${CPPFLAGS} -DDO_HTPASSWD" LDLIBS=-lcrypt
+       emake CC="$(tc-getCC)" OPT="${CFLAGS}" LDLIBS=-lcrypt \
+               CPPFLAGS="${CPPFLAGS} -DDO_HTPASSWD -D_GNU_SOURCE"
 }

 src_install() {


PS: bozohttpd seems quite wonky, anyone knows another minimalist (like bozohttpd or thttpd) but maintainted HTTP server with CGI, HTTP basic auth and directory listing?
Comment 1 Hadrien Lacour 2020-10-04 00:19:39 UTC
Since the default service configuration makes it run as root (need to uncomment the "USER=daemon" line in /etc/conf.d/bozohttpd), maybe a security news is warranted?
Comment 2 John Helmert III gentoo-dev Security 2020-10-04 02:47:34 UTC
(In reply to Hadrien Lacour from comment #1)
> Since the default service configuration makes it run as root (need to
> uncomment the "USER=daemon" line in /etc/conf.d/bozohttpd), maybe a security
> news is warranted?

I'm not sure what you mean by "security news", but since it seems this crash comes about after building with a modified ebuild, so that would be an invalid bug for Gentoo. Please reopen if you can reproduce this issue with the ebuild that Gentoo ships.

If that is a valid build configuration to upstream, I would also encourage you to report the issue upstream too.
Comment 3 Hadrien Lacour 2020-10-04 10:52:18 UTC
The segault can be reproduced with the default ebuild:
$ mkdir www
$ echo 'hello world' >www/test.txt
$ bozohttpd -b -f -i localhost -I 8000 -s -X www &
$ firefox 'http://localhost:8000/test.txt'
After loading, refresh the page
$ dmesg | tail -n2
[ 9743.332360] bozohttpd[10826]: segfault at 666cb75d ip 0000556f6648e6a2 sp 00007fff0eb36540 error 4 in bozohttpd[556f66485000+15000]
[ 9743.332368] Code: 6f 78 4d 85 ed 74 3e 4c 8d 64 24 50 31 c0 48 8d 35 6e 6d 00 00 4c 89 ef 4c 89 e2 e8 68 c4 ff ff 85 c0 0f 84 30 05 00 00 48 98 <80> 38 00 75 16 4c 89 e7 e8 61 c4 ff ff 48 39 84 24 e8 00 00 00 0f

The command line is the same as the bundled server with default configuration, only with -f (foreground) and -s (stderr logging) added.
Comment 4 Hadrien Lacour 2020-10-04 11:07:10 UTC
bundled service*