Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 39998 invoked from network); 6 Dec 2003 00:18:58 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 6 Dec 2003 00:18:58 -0000 Received: (qmail 13666 invoked by uid 500); 6 Dec 2003 00:18:43 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 13508 invoked by uid 500); 6 Dec 2003 00:18:42 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 13490 invoked from network); 6 Dec 2003 00:18:41 -0000 Message-ID: <20031206001848.48377.qmail@web60404.mail.yahoo.com> Date: Fri, 5 Dec 2003 16:18:48 -0800 (PST) From: Kevin Wang Subject: Fwd: Severe memory corruption problems in apr_rmm_* function of Apache 2.0.48 To: dev@apr.apache.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1499909436-1070669928=:45720" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N --0-1499909436-1070669928=:45720 Content-Type: text/plain; charset=us-ascii Content-Id: Content-Disposition: inline Note: forwarded message attached. __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree --0-1499909436-1070669928=:45720 Content-Type: message/rfc822 X-Apparently-To: xwang_tech@yahoo.com via 216.109.118.186; Fri, 05 Dec 2003 16:06:48 -0800 Return-Path: Received: from 208.185.179.12 (HELO mail.apache.org) (208.185.179.12) by mta123.mail.sc5.yahoo.com with SMTP; Fri, 05 Dec 2003 16:06:48 -0800 Received: (qmail 99807 invoked by uid 500); 6 Dec 2003 00:06:37 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 99794 invoked from network); 6 Dec 2003 00:06:37 -0000 Received: from unknown (HELO web60405.mail.yahoo.com) (216.109.118.188) by daedalus.apache.org with SMTP; 6 Dec 2003 00:06:37 -0000 Received: from [148.87.1.171] by web60405.mail.yahoo.com via HTTP; Fri, 05 Dec 2003 16:06:44 PST Date: Fri, 5 Dec 2003 16:06:44 -0800 (PST) From: Kevin Wang Subject: Severe memory corruption problems in apr_rmm_* function of Apache 2.0.48 To: dev@httpd.apache.org Cc: apache-modules@covalent.net MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Content-Length: 819 Hi All, In the past a few days, I was trying to figure out a shared memory corruption problem in my module. Eventually I found this bug in apr_rmm.c's find_block_of_size() function. It is severe enough to mess up the whole rmm memory blocks and make apr_rmm_* functions totally not workable. The source code version I am referring to is 2.0.48. Thanks! -- Kevin Here are the problems and the fixes: 1. in apr_rmm.c: line 129 if (bestsize - size > sizeof(struct rmm_block_t*)) { >>> if (bestsize - size > sizeof(rmm_block_t)) { 2. in apr_rmm.c: line 141 blk = (rmm_block_t*)((char*)rmm->base + blk->next); >>> blk = (rmm_block_t*)((char*)rmm->base + new->next); __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree --0-1499909436-1070669928=:45720--