NetBSD Problem Report #59644
From www@netbsd.org Tue Sep 9 00:05:23 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id CD7FA1A923C
for <gnats-bugs@gnats.NetBSD.org>; Tue, 9 Sep 2025 00:05:23 +0000 (UTC)
Message-Id: <20250909000522.225C81A923D@mollari.NetBSD.org>
Date: Tue, 9 Sep 2025 00:05:22 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: bozohttpd logs wrong port number under inetd with tls
X-Send-Pr-Version: www-1.0
>Number: 59644
>Category: bin
>Synopsis: bozohttpd logs wrong port number under inetd with tls
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: mrg
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 09 00:10:00 +0000 2025
>Last-Modified: Thu May 07 17:30:03 +0000 2026
>Originator: Taylor R Campbell
>Release: current, 11, 10, 9, ...
>Organization:
The NetBozo Foundaport
>Environment:
>Description:
Sep 9 00:01:33 morden httpd[28064]: got request ``GET /pub/pkgsrc/current/pkgsrc/x11/xpmicons/index.html HTTP/1.1'' from host 157.52.96.54 to port 443
This was almost certainly actually sent over port 4433.
But:
370 if (!httpd->bindport)
371 httpd->bindport = bozostrdup(httpd, NULL, BOZO_HTTPS_PORT);
https://nxr.netbsd.org/xref/src/libexec/httpd/ssl-bozo.c?r=1.34#370
672 port = NULL;
673 if (httpd->bindport) {
674 if (strcmp(httpd->bindport, BOZO_HTTP_PORT) != 0)
675 port = httpd->bindport;
676 } else if (getsockname(0, (struct sockaddr *)(void *)&ss, &slen) == 0 &&
677 getnameinfo((struct sockaddr *)(void *)&ss, slen, NULL, 0,
678 bufport, sizeof bufport, NI_NUMERICSERV) == 0)
679 port = bufport;
680 if (port != NULL)
681 request->hr_serverport = bozostrdup(httpd, request, port);
...
740 bozowarn(httpd,
741 "got request ``%s'' from host %s to port %s",
742 str,
743 host ? host : addr ? addr : "<local>",
744 port ? port : "<stdin>");
https://nxr.netbsd.org/xref/src/libexec/httpd/bozohttpd.c?r=1.149#672
Under inetd, bindport never gets set for actual binding, but ssl-bozo.c sets bindport=443 (BOZO_HTTPS_PORT), so this bypasses the getpeername branch.
>How-To-Repeat:
run httpd with tls under inetd
>Fix:
Yes, please!
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->mrg
Responsible-Changed-By: riastradh@NetBSD.org
Responsible-Changed-When: Tue, 09 Sep 2025 00:18:40 +0000
Responsible-Changed-Why:
bozomeister
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59644 CVS commit: src/libexec/httpd
Date: Sun, 3 May 2026 21:40:37 +0000
Module Name: src
Committed By: mrg
Date: Sun May 3 21:40:37 UTC 2026
Modified Files:
src/libexec/httpd: bozohttpd.c bozohttpd.h daemon-bozo.c ssl-bozo.c
Log Message:
log the correct port when using https.
fixes PR#59644.
To generate a diff of this commit:
cvs rdiff -u -r1.150 -r1.151 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.73 -r1.74 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.22 -r1.23 src/libexec/httpd/daemon-bozo.c
cvs rdiff -u -r1.35 -r1.36 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59644 CVS commit: src/libexec/httpd
Date: Sun, 3 May 2026 21:52:14 +0000
Module Name: src
Committed By: mrg
Date: Sun May 3 21:52:14 UTC 2026
Modified Files:
src/libexec/httpd: CHANGES bozohttpd.8 bozohttpd.c
Log Message:
call this bozohttpd 20260503, and update the CHANGES for the last 2 years
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
add D Bohdan to the contributors list.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.100 -r1.101 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.151 -r1.152 src/libexec/httpd/bozohttpd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59644 CVS commit: pkgsrc/www/bozohttpd
Date: Sun, 3 May 2026 22:04:05 +0000
Module Name: pkgsrc
Committed By: mrg
Date: Sun May 3 22:04:04 UTC 2026
Modified Files:
pkgsrc/www/bozohttpd: Makefile distinfo
Log Message:
upgrade to bozohttpd 20260503. changes include:
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
o make directory listings mobile friendly. from D. Bohdan.
To generate a diff of this commit:
cvs rdiff -u -r1.103 -r1.104 pkgsrc/www/bozohttpd/Makefile
cvs rdiff -u -r1.78 -r1.79 pkgsrc/www/bozohttpd/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59644 CVS commit: [netbsd-11] src/libexec/httpd
Date: Thu, 7 May 2026 15:51:07 +0000
Module Name: src
Committed By: martin
Date: Thu May 7 15:51:07 UTC 2026
Modified Files:
src/libexec/httpd [netbsd-11]: CHANGES auth-bozo.c bozohttpd.8
bozohttpd.c bozohttpd.h daemon-bozo.c lua-bozo.c ssl-bozo.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #268):
libexec/httpd/CHANGES: revision 1.57
libexec/httpd/daemon-bozo.c: revision 1.23
libexec/httpd/bozohttpd.8: revision 1.101
libexec/httpd/lua-bozo.c: revision 1.16
libexec/httpd/auth-bozo.c: revision 1.29
libexec/httpd/bozohttpd.h: revision 1.74
libexec/httpd/ssl-bozo.c: revision 1.35
libexec/httpd/ssl-bozo.c: revision 1.36
libexec/httpd/ssl-bozo.c: revision 1.37
libexec/httpd/bozohttpd.c: revision 1.150
libexec/httpd/bozohttpd.c: revision 1.151
libexec/httpd/bozohttpd.c: revision 1.152
Fix iteration over protos[] to prevent out-of-bounds access
Fix use-after-free in the "<a rel="nofollow" href="http://"">http://"</a>; case
Fix double free of uri (later handled by bozo_clean_request())
Fix off-by-one in case user provided '\x80' in the auth string
log the correct port when using https.
fixes PR#59644.
make the default min TLS version 1.1, as it was documented to be.
fixes PR#58878.
call this bozohttpd 20260503, and update the CHANGES for the last 2 years
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
add D Bohdan to the contributors list.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.56.4.1 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.28 -r1.28.4.1 src/libexec/httpd/auth-bozo.c
cvs rdiff -u -r1.100 -r1.100.2.1 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.149 -r1.149.2.1 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.73 -r1.73.6.1 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.22 -r1.22.10.1 src/libexec/httpd/daemon-bozo.c
cvs rdiff -u -r1.15 -r1.15.24.1 src/libexec/httpd/lua-bozo.c
cvs rdiff -u -r1.34 -r1.34.4.1 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59644 CVS commit: [netbsd-10] src/libexec/httpd
Date: Thu, 7 May 2026 17:29:08 +0000
Module Name: src
Committed By: martin
Date: Thu May 7 17:29:08 UTC 2026
Modified Files:
src/libexec/httpd [netbsd-10]: CHANGES auth-bozo.c bozohttpd.8
bozohttpd.c bozohttpd.h daemon-bozo.c lua-bozo.c ssl-bozo.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1265):
libexec/httpd/CHANGES: revision 1.57
libexec/httpd/daemon-bozo.c: revision 1.23
libexec/httpd/bozohttpd.8: revision 1.101
libexec/httpd/lua-bozo.c: revision 1.16
libexec/httpd/auth-bozo.c: revision 1.29
libexec/httpd/bozohttpd.h: revision 1.74
libexec/httpd/ssl-bozo.c: revision 1.35
libexec/httpd/ssl-bozo.c: revision 1.36
libexec/httpd/ssl-bozo.c: revision 1.37
libexec/httpd/bozohttpd.c: revision 1.150
libexec/httpd/bozohttpd.c: revision 1.151
libexec/httpd/bozohttpd.c: revision 1.152
Fix iteration over protos[] to prevent out-of-bounds access
Fix use-after-free in the "<a rel="nofollow" href="http://"">http://"</a>; case
Fix double free of uri (later handled by bozo_clean_request())
Fix off-by-one in case user provided '\x80' in the auth string
log the correct port when using https.
fixes PR#59644.
make the default min TLS version 1.1, as it was documented to be.
fixes PR#58878.
call this bozohttpd 20260503, and update the CHANGES for the last 2 years
o fix the default minimum TLS version to 1.1 from 1.3. the
manual already said 1.1 was the default. fixes PR#58878.
o log the correct port with TLS connections. fixes PR#59644.
o fix use-after-free, double-free, and bounds checking problems.
from shm.
o better lint support.
o several updates for the manual. from lukem.
add D Bohdan to the contributors list.
To generate a diff of this commit:
cvs rdiff -u -r1.54.2.1 -r1.54.2.2 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.27.6.1 -r1.27.6.2 src/libexec/httpd/auth-bozo.c
cvs rdiff -u -r1.92.2.1 -r1.92.2.2 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.142.2.1 -r1.142.2.2 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.73 -r1.73.2.1 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.22 -r1.22.6.1 src/libexec/httpd/daemon-bozo.c
cvs rdiff -u -r1.15 -r1.15.20.1 src/libexec/httpd/lua-bozo.c
cvs rdiff -u -r1.32.2.1 -r1.32.2.2 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.49 2026/05/14 01:52:41 riastradh Exp $
$NetBSD: gnats_config.sh,v 1.10 2026/05/13 22:00:09 riastradh Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home