Skip to content

Fix crash in DoH on empty query string in GET requests

Artem Boldariev requested to merge artem/doh-empty-query-string-crash-fix into main

An unhandled code path left GET query string data uninitialised (equal to NULL) and led to a crash during the requests' base64 data decoding. This commit fixes that.

Thread 3 "isc-net-0001" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff34fe640 (LWP 107379)]
0x00007ffff7f59599 in isc_base64_decodestring (cstr=0x1 <error: Cannot access memory at address 0x1>, target=target@entry=0x7ffff34f8e60) at base64.c:227
227			int c = *cstr++;
(gdb) bt
#0  0x00007ffff7f59599 in isc_base64_decodestring (cstr=0x1 <error: Cannot access memory at address 0x1>, target=target@entry=0x7ffff34f8e60) at base64.c:227
#1  0x00007ffff7f916b4 in server_on_request_recv (ngsession=ngsession@entry=0x7fffe827fa00, session=session@entry=0x7fffe82f7940, socket=0x7fffe8280400) at netmgr/http.c:2051
#2  0x00007ffff7f9175e in server_on_frame_recv_callback (ngsession=0x7fffe827fa00, frame=<optimized out>, user_data=0x7fffe82f7940) at netmgr/http.c:2265
#3  0x00007ffff726ed87 in nghttp2_session_mem_recv () from /usr/lib/libnghttp2.so.14
#4  0x00007ffff7f92a3f in http_readcb (handle=<optimized out>, result=<optimized out>, region=0x7ffff34f9030, data=0x7fffe82f7940) at netmgr/http.c:948
#5  0x00007ffff7f45927 in isc__nm_async_readcb (worker=worker@entry=0x0, ev0=ev0@entry=0x7ffff34f9080) at netmgr/netmgr.c:2705
#6  0x00007ffff7f45a92 in isc__nm_readcb (sock=sock@entry=0x7fffe827f000, uvreq=<optimized out>, eresult=eresult@entry=0) at netmgr/netmgr.c:2680
#7  0x00007ffff7f4a45b in isc__nm_tcp_read_cb (stream=<optimized out>, nread=306, buf=0x7ffff34f9140) at netmgr/tcp.c:895
#8  0x00007ffff744bedb in ?? () from /usr/lib/libuv.so.1
#9  0x00007ffff744cae8 in ?? () from /usr/lib/libuv.so.1
#10 0x00007ffff7452be6 in uv.io_poll () from /usr/lib/libuv.so.1
#11 0x00007ffff7441587 in uv_run () from /usr/lib/libuv.so.1
#12 0x00007ffff7f467a9 in nm_thread (worker0=0x7ffff4aa14b0) at netmgr/netmgr.c:682
#13 0x00007ffff7f8db22 in isc__trampoline_run (arg=0x7ffff4a864e0) at trampoline.c:180
#14 0x00007ffff7246259 in start_thread () from /usr/lib/libpthread.so.0
#15 0x00007ffff716d5e3 in clone () from /usr/lib/libc.so.6
(gdb) f 1
#1  0x00007ffff7f916b4 in server_on_request_recv (ngsession=ngsession@entry=0x7fffe827fa00, session=session@entry=0x7fffe82f7940, socket=0x7fffe8280400) at netmgr/http.c:2051
2051			if (isc_base64_decodestring(socket->h2.query_data,
(gdb) p socket->h2.query_data
$1 = 0x0
(gdb)

Merge request reports