Return-Path: 
 <bugs-return-8628-apmail-httpd-bugs-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org
Received: (qmail 34169 invoked by uid 500); 2 Jul 2003 17:46:17 -0000
Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bugs@httpd.apache.org>
List-Help: <mailto:bugs-help@httpd.apache.org>
List-Unsubscribe: <mailto:bugs-unsubscribe@httpd.apache.org>
List-Subscribe: <mailto:bugs-subscribe@httpd.apache.org>
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
Delivered-To: mailing list bugs@httpd.apache.org
Received: (qmail 34104 invoked from network); 2 Jul 2003 17:46:16 -0000
Date: 2 Jul 2003 17:48:43 -0000
Message-ID: <20030702174843.3709.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 21285] New:  -
    (mem) cache size becomes negative causing segfault
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21285>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21285

(mem) cache size becomes negative causing segfault

           Summary: (mem) cache size becomes negative causing segfault
           Product: Apache httpd-2.0
           Version: 2.0.46
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Other Modules
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: m.torquati@huginsoft.it


Short description:

(mem) cache size becomes negative in some circumstances
(caching dynamic objects, small cache size, at least two threads),
later causing wrong behaviour and segfault in the cache_insert functions.

Detailed description:

If our understanding of the code is correct, dinamically generated
objects are first inserted in the cache as temporary objects with a
default size.
In the function write_body (in mod_mem_cache.c) to resize a temporary
object after it has been completed, it is first removed from cache,
and then it is re-inserted with its correct size. This operation is
performed withouth checking if the removed object is still present 
in the cache. Suppose another thread has removed the temporary object from the
cache because of a capacity miss in cache_insert functions (cache_cache.c). 
Then you can remove an object of different 
size and adjust the cache size in a wrong manner eventually producing a 
negative cache size. 
A negative cache size quickly produces a segfault in cache_insert().

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org