meinheld
meinheld copied to clipboard
stack smashing while bind on ipv6 port and using wrk to request it
Found this on Linux / macOS, with Python3.5/ 3.7, and meinheld version 1.0.1.
Way to reproduce this:
import flask
app = flask.Flask(__name__)
@app.route('/')
def x():
return 'x'
Starting with:
$ gunicorn -b'[::]:1234' -kmeinheld.gmeinheld.MeinheldWorker a:app
And run wrk:
wrk http://localhost:1234 -c 1 -t 1
You can see meinheld worker is exit randomly with logs like this:
*** stack smashing detected ***: /data00/home/xxx/ooo/venv/bin/python3 terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7fe35cbdabfb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7fe35cc63437]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7fe35cc63400]
/data00/home/xxx/ooo/venv/lib/python3.5/site-packages/meinheld/server.cpython-35m-x86_64-linux-gnu.so(+0xfe4f)[0x7fe35aaa9e4f]
/data00/home/xxx/ooo/venv/lib/python3.5/site-packages/meinheld/server.cpython-35m-x86_64-linux-gnu.so(picoev_poll_once_internal+0x95)[0x7fe35aaae265]
/data00/home/xxx/ooo/venv/lib/python3.5/site-packages/meinheld/server.cpython-35m-x86_64-linux-gnu.so(+0x10f0a)[0x7fe35aaaaf0a]
/data00/home/xxx/ooo/venv/bin/python3(PyCFunction_Call+0x77)[0x55ffb5e20287]
/data00/home/xxx/ooo/venv/bin/python3(PyEval_EvalFrameEx+0x48ef)[0x55ffb5dead0f]
/data00/home/xxx/ooo/venv/bin/python3(PyEval_EvalFrameEx+0x4b64)[0x55ffb5deaf84]
/data00/home/xxx/ooo/venv/bin/python3(+0x19002f)[0x55ffb5df002f]
This only happend with client wrk (a HTTP benchmark tool), but gunicorn with default worker sync
or gevent
, meinheld with chrome / curl have no issue.
I think wrk is sending some incompatible requests, but meinheld should not exit cause someone may make a DOS attack on it.
https://github.com/mopemope/meinheld/blob/94fc8dc49a6c36b9abbf9276943d443bfce55f83/meinheld/server/server.c#L1239-L1269
server.c uses sockaddr_in structure it is only for IPv4.