[Varnish] #255: Varnish segfaults on certain response header sets

Sat Jun 21 20:59:43 CEST 2008

#255: Varnish segfaults on certain response header sets
-----------------------+----------------------------------------------------
 Reporter:  rafrombrc  |        Owner:  phk   
     Type:  defect     |       Status:  closed
 Priority:  normal     |    Milestone:        
Component:  varnishd   |      Version:  trunk 
 Severity:  critical   |   Resolution:  fixed 
 Keywords:             |  
-----------------------+----------------------------------------------------
Changes (by phk):

  * status:  new => closed
  * resolution:  => fixed

Old description:

> I'm testing varnish in front of a collection of HTTP services.  Depending
> on how I have things configured in my upstream app, the response headers
> can vary slightly.  Some combinations of response headers work fine, but
> others cause varnish to segfault, but only in cases where the response
> body is longer than approx 9000 bytes.
>
> Here's an example of a header set that does NOT cause the problem:
>
> Outgoing headers: (200 OK)
>   Server: Zope/(Zope 2.10.5-final, python 2.4.4, linux2) ZServer/1.1
> Plone/3.0.7 (svn/unreleased)
>   Date: Thu, 19 Jun 2008 21:14:49 GMT
>   Content-Length: 18347
>   Expires: Mon, 22 Jun 1998 21:14:49 GMT
>   Last-Modified: Sun, 27 Nov 2005 05:41:47 GMT
>   X-Caching-Rule-Id: 7
>   Cache-Control: max-age=0, s-maxage=3600, must-revalidate
>   Content-Type: text/html; charset=utf-8
>   X-Header-Set-Id: cache-in-proxy-1-hour
>
> The following response headers cause varnish to crash:
>
> Outgoing headers: (200 OK)
>   Server: Zope/(Zope 2.10.5-final, python 2.4.4, linux2) ZServer/1.1
> Plone/3.0.7 (svn/unreleased)
>   Date: Thu, 19 Jun 2008 21:14:49 GMT
>   Content-Length: 18347
>   Expires: Thu, 19 Jun 2008 21:14:49 GMT
>   Last-Modified: Sun, 27 Nov 2005 05:41:47 GMT
>   X-Caching-Rule-Id: 7
>   Cache-Control: must-revalidate, max-age = 0
>   Content-Type: text/html; charset=utf-8
>   X-Header-Set-Id: cache-in-proxy-1-hour
>
> Note that the only difference in the header sets are the Cache-Control
> and Expires headers.
>
> I can reproduce this problem with the varnish 1.1.2 release, the 1.2 svn
> branch, and the svn trunk.  I'm using Ubuntu 7.10.  'uname -a' generates
> the following:
>
> Linux parsifal 2.6.22-14-generic #1 SMP Tue Feb 12 02:46:46 UTC 2008
> x86_64 GNU/Linux
>
> My VCL file and a core dump are attached.

New description:

 I'm testing varnish in front of a collection of HTTP services.  Depending
 on how I have things configured in my upstream app, the response headers
 can vary slightly.  Some combinations of response headers work fine, but
 others cause varnish to segfault, but only in cases where the response
 body is longer than approx 9000 bytes.

 Here's an example of a header set that does NOT cause the problem:

 {{{
 Outgoing headers: (200 OK)
   Server: Zope/(Zope 2.10.5-final, python 2.4.4, linux2) ZServer/1.1
 Plone/3.0.7 (svn/unreleased)
   Date: Thu, 19 Jun 2008 21:14:49 GMT
   Content-Length: 18347
   Expires: Mon, 22 Jun 1998 21:14:49 GMT
   Last-Modified: Sun, 27 Nov 2005 05:41:47 GMT
   X-Caching-Rule-Id: 7
   Cache-Control: max-age=0, s-maxage=3600, must-revalidate
   Content-Type: text/html; charset=utf-8
   X-Header-Set-Id: cache-in-proxy-1-hour
 }}}

 The following response headers cause varnish to crash:

 {{{
 Outgoing headers: (200 OK)
   Server: Zope/(Zope 2.10.5-final, python 2.4.4, linux2) ZServer/1.1
 Plone/3.0.7 (svn/unreleased)
   Date: Thu, 19 Jun 2008 21:14:49 GMT
   Content-Length: 18347
   Expires: Thu, 19 Jun 2008 21:14:49 GMT
   Last-Modified: Sun, 27 Nov 2005 05:41:47 GMT
   X-Caching-Rule-Id: 7
   Cache-Control: must-revalidate, max-age = 0
   Content-Type: text/html; charset=utf-8
   X-Header-Set-Id: cache-in-proxy-1-hour
 }}}
 Note that the only difference in the header sets are the Cache-Control and
 Expires headers.

 I can reproduce this problem with the varnish 1.1.2 release, the 1.2 svn
 branch, and the svn trunk.  I'm using Ubuntu 7.10.  'uname -a' generates
 the following:

 Linux parsifal 2.6.22-14-generic #1 SMP Tue Feb 12 02:46:46 UTC 2008
 x86_64 GNU/Linux

 My VCL file and a core dump are attached.

Comment:

 This was a bug in the header field parsing code (http_GetHdrField()) which
 didn't like whitespace before the = in "max-age = 0".

 Fixed in #2760.

 Regression test created (r00255.vtc)

-- 
Ticket URL: <http://varnish.projects.linpro.no/ticket/255#comment:2>
Varnish <http://varnish.projects.linpro.no/>
The Varnish HTTP Accelerator