From dev-return-10735-apmail-apr-dev-archive=apr.apache.org@apr.apache.org Sat Dec 06 00:53:52 2003 Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 48811 invoked from network); 6 Dec 2003 00:53:51 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 6 Dec 2003 00:53:51 -0000 Received: (qmail 45847 invoked by uid 500); 6 Dec 2003 00:53:28 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 45755 invoked by uid 500); 6 Dec 2003 00:53:28 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 45717 invoked from network); 6 Dec 2003 00:53:28 -0000 Message-ID: <20031206005335.14076.qmail@web60410.mail.yahoo.com> Date: Fri, 5 Dec 2003 16:53:35 -0800 (PST) From: Kevin Wang Subject: Re: Severe memory corruption problems in apr_rmm_* function of Apache 2.0.48 To: dev@httpd.apache.org, dev@apr.apache.org Cc: apache-modules@covalent.net In-Reply-To: <20031206000644.83737.qmail@web60405.mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1237891266-1070672015=:12287" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N --0-1237891266-1070672015=:12287 Content-Type: text/plain; charset=us-ascii Content-Id: Content-Disposition: inline See the attached file for the diff output from "diff -C3". Thanks. -- Kevin --- Kevin Wang wrote: > Hi All, > > In the past a few days, I was trying to figure out a shared memory corruption > problem in my module. Eventually I found this bug in apr_rmm.c's > find_block_of_size() function. > > It is severe enough to mess up the whole rmm memory blocks and make apr_rmm_* > functions totally not workable. The source code version I am referring to is > 2.0.48. > > Thanks! > > -- Kevin > > Here are the problems and the fixes: > > 1. in apr_rmm.c: line 129 > > if (bestsize - size > sizeof(struct rmm_block_t*)) { > > >>> > > if (bestsize - size > sizeof(rmm_block_t)) { > > > 2. in apr_rmm.c: line 141 > > blk = (rmm_block_t*)((char*)rmm->base + blk->next); > > >>> > > blk = (rmm_block_t*)((char*)rmm->base + new->next); > > __________________________________ > Do you Yahoo!? > Protect your identity with Yahoo! Mail AddressGuard > http://antispam.yahoo.com/whatsnewfree __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree --0-1237891266-1070672015=:12287 Content-Type: text/plain; name="apr_rmm.c.diff.txt" Content-Description: apr_rmm.c.diff.txt Content-Disposition: inline; filename="apr_rmm.c.diff.txt" *** apr_rmm.c Fri Dec 5 16:47:36 2003 --- apr_rmm.c.new Fri Dec 5 16:46:52 2003 *************** *** 126,132 **** next = blk->next; } ! if (bestsize - size > sizeof(struct rmm_block_t*)) { struct rmm_block_t *blk = (rmm_block_t*)((char*)rmm->base + best); struct rmm_block_t *new = (rmm_block_t*)((char*)rmm->base + best + size); --- 126,132 ---- next = blk->next; } ! if (bestsize - size > sizeof(rmm_block_t)) { struct rmm_block_t *blk = (rmm_block_t*)((char*)rmm->base + best); struct rmm_block_t *new = (rmm_block_t*)((char*)rmm->base + best + size); *************** *** 138,144 **** blk->next = best + size; if (new->next) { ! blk = (rmm_block_t*)((char*)rmm->base + blk->next); blk->prev = best + size; } } --- 138,144 ---- blk->next = best + size; if (new->next) { ! blk = (rmm_block_t*)((char*)rmm->base + new->next); blk->prev = best + size; } } --0-1237891266-1070672015=:12287--