Potential memory corruption in `stream_line_reader`

[ngxson]

Hi,

I would like to report a recent problem that I found on the latest version 0.18.5

To test it, I compiled this simple program:

#include <httplib.h>

int main(void)
{
  using namespace httplib;

  Server svr;

  svr.set_pre_routing_handler([](const auto& req, auto& res) {
    if (req.method == "OPTIONS") {
      res.set_content("world", "text/html");
      return Server::HandlerResponse::Handled;
    }
    return Server::HandlerResponse::Unhandled;
  });

  svr.Get("/hi", [](const Request& req, Response& res) {
    res.set_content("Hello World!", "text/plain");
  });

  // Match the request path against a regular expression
  // and extract its captures
  svr.Get(R"(/numbers/(\d+))", [&](const Request& req, Response& res) {
    auto numbers = req.matches[1];
    res.set_content(numbers, "text/plain");
  });

  // Capture the second segment of the request path as "id" path param
  svr.Get("/users/:id", [&](const Request& req, Response& res) {
    auto user_id = req.path_params.at("id");
    res.set_content(user_id, "text/plain");
  });

  // Extract values from HTTP headers and URL query params
  svr.Get("/body-header-param", [](const Request& req, Response& res) {
    if (req.has_header("Content-Length")) {
      auto val = req.get_header_value("Content-Length");
    }
    if (req.has_param("key")) {
      auto val = req.get_param_value("key");
    }
    res.set_content(req.body, "text/plain");
  });

  svr.Get("/stop", [&](const Request& req, Response& res) {
    svr.stop();
  });

  svr.listen("0.0.0.0", 8080);
}

Upon running it, I place a breakpoint when calling parse_request_line

  // Request line and headers
  if (!parse_request_line(line_reader.ptr(), req) ||       // <== breakpoint
      !detail::read_headers(strm, req.headers)) {
    res.status = StatusCode::BadRequest_400;
    return write_response(strm, close_connection, req, res);
  }

The buffer of stream_line_reader seems to contains data from somewhere else:

Please note that, this happens 80% of the time. When it work correctly, the buffer must contains HTTP request data:

When the server first started, the first request never has this problem. This suggest that there maybe race condition between threads when accessing a shared variable.

[ngxson]

If I add #define CPPHTTPLIB_ALLOW_LF_AS_LINE_TERMINATOR the problem goes away

Hmm no sorry it still does not resolve the problem

[ngxson]

Btw, it can only be triggered with a large payload, and it does not work 100% of the time.

curl --location --request OPTIONS 'http://localhost:8080/v1/chat/completions' \
--header 'Content-Type: text/plain' \
--data 'testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest'

[yhirose]

@ngxson thanks for reporting and investigating the bug. I'll take a look at it.

[yhirose]

@ngxson I tried to reproduce the problem on my MacBook, but so far I am not able to do it... Can I ask you to test with v0.18.3 and v0.18.4 for me?

I suspect this problem is caused by the following commit which is included in v0.18.4.
9c36aae

Could you also give me your compiler options that cause this problem please? (I am using g++ and clang++.)

Thanks for your help!

[yhirose]

@ngxson could you please try with the v0.18.6? (I am not still able to reproduce it.)

[ngxson]

yeah sorry I was quite busy the past few days, going back to this issue now

[ngxson]

Hmm no it's still the problem. I'm testing with a different payload. This time, for testing, I'm sending 140 times the same string 0123456789 repeated, with a HEAD request (strangely, only HEAD is affected)

But now I realize that maybe it's not memory corruption, but because we're reading the left over bytes from the last request.

By adding a printf:

  std::array<char, 2048> buf{};

  detail::stream_line_reader line_reader(strm, buf.data(), buf.size());

  // Connection has been closed on client
  if (!line_reader.getline()) { return false; }
  printf("%s\n", line_reader.ptr());

On the console, I see:

6789012345678901234567890123456 (... a lot more but I truncated...) 678901234567890123456789HEAD /v1/chat/completions HTTP/1.1

And the server response with 414 URI Too Long status code.

[ngxson]

Ok with Connection: close header, this now works without any problem. So I'm pretty sure that we're reading left over bytes from last request with keep-alive. Do you have any clues how to fix? @yhirose

---

Edit: a bit more info, this header is controlled by the browser, so will be kinda a pain since browser usually send that HEAD request using keep-alive, it's for CORS preflight

[yhirose]

@ngxson thanks for the further info. Could you show the code or script which sends the request. I'll try to reproduce it on my machine.

[ngxson]

Sure, to make it easily reproducible, you can use Postman:

I'm using the same code in the issue description.

The payload is the string 0123456789 repeated 140 times. Make sure that the Connection header is set to keep-alive and the method set to HEAD

When hitting "Send" for a few times, sometimes you will see 414 URI Too Long status code.

[falbrechtskirchinger]

HEAD requests incorrectly ignore the Content-Length header (there's a TODO comment about that). That's easy to fix.
When reading the start of a request, we should probably bail immediately, if we don't see a valid request method.
Also, if not already done, the server should always respond with Connection: close after a 400 generated by the server. For example, what happens if the server receives a TRACE request? I imagine, that whatever data was sent, will get mixed up with the next request, as TRACE is recognized as a valid method, but not explicitly handled (and Content-Length is likewise ignored at the moment).
Further, why is PRI handled at all? The HTTP/2 preface was chosen so most HTTP/1.x servers would naturally reject such requests, yet this library goes out of its way to handle them. 😆

So, I'll submit a PR for the immediate issue, but it needs a follow-up.