[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Segfault in mod_dav_svn with repositories on /

From: Lieven Govaerts <lgo_at_apache.org>
Date: Fri, 10 Jan 2014 11:53:20 +0100

Hi,

a customer is seeing reproducible httpd child process segfaults when
using Subversion.

Setup:
- Subversion 1.8.1 - WANDisco package subversion-1.8.1-1.x86_64.rpm
- Apache 2.2.15 - RedHat package httpd-2.2.15-26.el6.x86_64
- OS: Red Hat Enterprise Linux Server release 6.4
- Client: svn, version 1.7.9-SlikSvn-1.7.9-WIN32 (SlikSvn/1.7.9) WIN32

Apache is configured to use the prefork module. For Subversion we use
mod_dav_svn, but not mod_authz_svn.

We have a few svn repositories, all located on the root of the server.
Relevant extra of httpd config:
<Location />
 DAV svn
 SVNParentPath /data/scm/repositories/
 SVNListParentPath on
 SVNPathAuthz off
 ...
</Location>

A correct url in our setup is https://scm/repo.

Issue:
With this configuration, we can get httpd child processes to crash
systematically by connecting to the root of the server:
$ svn ls https://scm/
..
svn: E175002: Unable to connect to a repository at URL 'https://scm'
svn: E175002: OPTIONS of 'https://scm': Could not read status line:
Secure connection truncated (https://scm)

In the httpd access logs we see:
10.50.148.71 - - [20/Dec/2013:15:10:54 +0100] "OPTIONS / HTTP/1.1" 401 472

And in error.log (after activating core dump generation and
installation of debuginfo rpm's):
[Fri Dec 20 15:10:58 2013] [notice] child pid 18905 exit signal
Segmentation fault (11), possible coredump in /data/httpd/coredumps/

Core dump stacktrace:
$ gdb /usr/sbin/httpd core.17002
Program terminated with signal 11, Segmentation fault.
#0 dav_svn__build_uri (repos=<value optimized out>,
what=DAV_SVN__BUILD_URI_PUBLIC, revision=-1,
    path=<value optimized out>, add_href=0, pool=0x7f8ca55ba368) at
subversion/mod_dav_svn/util.c:249
249 if (root_path[1] == '\0')
(gdb) bt
#0 dav_svn__build_uri (repos=<value optimized out>,
what=DAV_SVN__BUILD_URI_PUBLIC, revision=-1,
    path=<value optimized out>, add_href=0, pool=0x7f8ca55ba368) at
subversion/mod_dav_svn/util.c:249
#1 0x00007f8c9794aed4 in get_option (resource=0x7f8ca55d2948,
elem=0x7f8ca55d2d30, option=0x7ffffcd83820)
    at subversion/mod_dav_svn/version.c:180
#2 0x00007f8c9c19539a in dav_method_options (r=<value optimized out>)
    at /usr/src/debug/httpd-2.2.15/modules/dav/main/mod_dav.c:1840
#3 0x00007f8c9c195fe8 in dav_handler (r=0x7f8ca55ba3e8)
    at /usr/src/debug/httpd-2.2.15/modules/dav/main/mod_dav.c:4650
#4 0x00007f8ca3630bb0 in ap_run_handler (r=0x7f8ca55ba3e8) at
/usr/src/debug/httpd-2.2.15/server/config.c:158
#5 0x00007f8ca363446e in ap_invoke_handler (r=0x7f8ca55ba3e8) at
/usr/src/debug/httpd-2.2.15/server/config.c:376
#6 0x00007f8ca363fb30 in ap_process_request (r=0x7f8ca55ba3e8)
    at /usr/src/debug/httpd-2.2.15/modules/http/http_request.c:282
#7 0x00007f8ca363c9a8 in ap_process_http_connection (c=0x7f8ca548d7b8)
    at /usr/src/debug/httpd-2.2.15/modules/http/http_core.c:190
#8 0x00007f8ca36386b8 in ap_run_process_connection (c=0x7f8ca548d7b8)
    at /usr/src/debug/httpd-2.2.15/server/connection.c:43
#9 0x00007f8ca3644977 in child_main (child_num_arg=<value optimized out>)
    at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:667
#10 0x00007f8ca3644c8a in make_child (s=0x7f8ca5301860, slot=12)
    at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:763
#11 0x00007f8ca364590c in perform_idle_server_maintenance
(_pconf=<value optimized out>,
    plog=<value optimized out>, s=<value optimized out>)
    at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:898
#12 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized
out>, s=<value optimized out>)
    at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:1102
#13 0x00007f8ca361c900 in main (argc=3, argv=0x7ffffcd83e68) at
/usr/src/debug/httpd-2.2.15/server/main.c:760

Looking at the code at the crash location, this looks like a simple
case of an incorrect assumption:

246: /* The first character of root_path is guaranteed to be "/". If
247: there's no component beyond that, then just use "", so that
248: appending another "/" later does not result in "//". */
249: if (root_path[1] == '\0')
250: root_path = "";

I'm wondering if this simple change will solve the issue (can't test
it here/now):

249: if (root_path[0] == '\0' || root_path[1] == '\0')
250: root_path = "";

Lieven
Received on 2014-01-10 11:54:17 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.