[Tile-serving] [openstreetmap/mod_tile] Segfaults mod_tile.c:838 -> apr_strtok.c:46 (Issue #473)
zenonp
notifications at github.com
Tue Jan 7 16:47:26 UTC 2025
I am suddenly seeing a huge number of httpd coredumps (578 in the past three hours, coming from only 10 unique IP addresses), all of them for the same cause:
```
(gdb) backtrace
#0 apr_strtok (str=0x7f3a8800fbc8 "88.54.217.50", sep=sep at entry=0x7f3aa9d62389 ", ", last=last at entry=0x0) at strings/apr_strtok.c:46
#1 0x00007f3aa9d5b2da in delay_allowed (state=tileCurrent, r=0x7f3a8801a8d0) at ./src/mod_tile.c:838
```
This is mod_tile passing the contents of X-Forwarded-For to apr_strtok, which then barfs. I don't understand C, but I suspected a type mismatch in apr_strtok expecting string and getting integer or vice versa. So I tried to convert hex 0x7f3a8800fbc8 and 0x7f3aa9d62389 to text, and got 저 and 褀 respectively with UTF-16.
Now, I am not sure that these two hex values were actually sent to apr_strtok, nor that my hex-to-UTF-16 conversion is the correct one, but it seems very likely that these clients are sending garbage in their X-Forwarded-For. Which is easy for anyone to do, accidentally or maliciously. And mod_tile does no sanity check on X-Forwarded-For before passing to apr_strtok whatever it got from the client.
Thus, a sanity check just before mod_tile.c:838 would make a lot of sense, even if my troubleshooting is flawed somehow.
mod_tile 0.7.1, httpd 2.4.62.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/mod_tile/issues/473
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/mod_tile/issues/473 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/tile-serving/attachments/20250107/9be8f0cc/attachment.htm>
More information about the Tile-serving
mailing list