Page 1 of 1

check_http (2.2.1) segmentation fault

Posted: Tue Jun 19, 2018 2:36 pm
by ajz
Howdy,

Today, I am sometime seeing a segmentation fault on the current check_http plugin (2.2.1 via the EPEL RPM) against a particular host.
The issue is in decode_chunked_page()'s parsing logic, perhaps when it encounters extra whitespace (spaces, newlines, and tabs) at the top of the body (which is present in today's cached page that the plugin happens to be getting).

While this is temporary and can be fixed by regenerating the cache on the server side, this seems to expose some issue in the plugin's parsing of chunked content. I haven't delved deeply into the code (and haven't dealt with C in a while), but I've included a gdb backtrace showing the issue.

Code: Select all

(gdb) run
Starting program: /usr/lib64/nagios/plugins/check_http -H www.berkeley.edu -S -v
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
SSL initialized
GET / HTTP/1.1
User-Agent: check_http/v2.2.1.git (nagios-plugins 2.2.1)
Connection: close
Host: www.berkeley.edu
Accept: */*


https://www.berkeley.edu:443/ is 49725 characters
STATUS: HTTP/1.1 200 OK

Program received signal SIGSEGV, Segmentation fault.
__memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1553
1553		movdqu	0x50(%rsi), %xmm5
(gdb) backtrace full
#0  __memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1553
No locals.
#1  0x0000555555557eba in memmove (__len=1143144, __src=0x5555557c3315, __dest=<optimized out>) at /usr/include/bits/string3.h:57
No locals.
#2  decode_chunked_page (
    raw=raw@entry=0x5555557bcac3 "   \n \t    \n          \n\t<!DOCTYPE html>\n<html lang=\"en\" class=\"no-js\">\n<head>\n<meta charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\"/>\n<title>Home | University of California, Berke"...,
    dst=dst@entry=0x5555557bcac3 "   \n \t    \n          \n\t<!DOCTYPE html>\n<html lang=\"en\" class=\"no-js\">\n<head>\n<meta charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\"/>\n<title>Home | University of California, Berke"...) at check_http.c:725
        chunksize = 1143144
        raw_pos = 0x5555557c3315 "media-left\">\n", ' ' <repeats 12 times>, "\t<div class=\"date\">\n\t\t\t\t\t\t\t\t\t", ' ' <repeats 16 times>, "\n\t\t\t\t\t<span class=\"month\">JUN</span> <span class=\"day\">21</span>\n", '\t' <repeats 13 times>, "</div>\n\t\t\t</div>\n\t\t\t<div class=\"media-body\">\n\t\t\t\t\t\t\t"...
        dst_pos = <optimized out>
#3  0x000055555555994c in check_http () at check_http.c:1237
        msg = 0x0
        status_line = 0x5555557a3470 "HTTP/1.1 200 OK"
        status_code = <optimized out>
        header = 0x5555557bc9b1 "Date: Tue, 19 Jun 2018 19:20:41 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nServer: Apache/2.4\r\nX-Powered-By: PHP/5.4.16\r\nVary: Accept-Encoding,User-Age"...
        page = 0x5555557bcac3 "   \n \t    \n          \n\t<!DOCTYPE html>\n<html lang=\"en\" class=\"no-js\">\n<head>\n<meta charset=\"utf-8\">\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\"/>\n<title>Home | University of California, Berke"...
        auth = 0x0
        i = <optimized out>
        pagesize = 49725
        full_page = <optimized out>
        full_page_new = <optimized out>
        buf = 0x5555557b4c30 "GET / HTTP/1.1\r\nUser-Agent: check_http/v2.2.1.git (nagios-plugins 2.2.1)\r\nConnection: close\r\nHost: www.berkeley.edu\r\nAccept: */*\r\n\r\n"
        pos = <optimized out>
        microsec = 171406
        elapsed_time = 0.17140599999999998
        microsec_connect = <optimized out>
        elapsed_time_connect = 0.027892
        microsec_ssl = <optimized out>
        elapsed_time_ssl = 0.051819999999999998
        microsec_firstbyte = <optimized out>
        elapsed_time_firstbyte = 0.067794999999999994
        microsec_headers = 20
        elapsed_time_headers = 1.9999999999999998e-05
        microsec_transfer = <optimized out>
        elapsed_time_transfer = 0.091553999999999996
        page_len = 0
        result = 0
        force_host_header = <optimized out>
        bad_response = 0
        save_char = <optimized out>
#4  0x0000555555557738 in main (argc=5, argv=<optimized out>) at check_http.c:183
        result = 3
Headers output from a verbose non-segfaulting run:

Code: Select all

https://www.berkeley.edu:443/ is 49724 characters
STATUS: HTTP/1.1 200 OK
**** HEADER ****
Date: Tue, 19 Jun 2018 19:20:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Server: Apache/2.4
X-Powered-By: PHP/5.4.16
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=300
Expires: Tue, 19 Jun 2018 19:25:38 GMT
-AJ

Re: check_http (2.2.1) segmentation fault

Posted: Tue Jun 19, 2018 4:42 pm
by scottwilkerson
I tried running this with a 2.2.1 build from source against the same website and I do not experience the issue.

I have tries numerous other websites and cannot as well.

Can you replicate it consistently?

If it is only replicatiable in the EPEL RPM, that would have to be filed against the nagios-plugins package on https://bugzilla.redhat.com as it could be something specific to what they build.

Re: check_http (2.2.1) segmentation fault

Posted: Tue Jun 19, 2018 7:05 pm
by ajz
Thanks for the response!

I was able to replicate it on the current EPEL RPMs for RHEL6 and RHEL7 on different systems, but I did not get to building from source directly.

I'll dig into the RPM spec tomorrow to see if it is be patching/changing the original source before building, and follow up with the package maintainer(s) if so.

Thanks again,
-AJ

Re: check_http (2.2.1) segmentation fault

Posted: Wed Jun 20, 2018 8:10 am
by scottwilkerson
Thanks!