httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 25550] - apr_rmm corruption when allocating too much
Date Wed, 10 Mar 2004 17:04:46 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=25550>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=25550

apr_rmm corruption when allocating too much

eabouzou@yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|Other                       |Low



------- Additional Comments From eabouzou@yahoo.com  2004-03-10 17:04 -------
I have just ran into this problem and I traced through the code and I know
where the problem is comming from. First, what I've seen is exactly what
Philippe M. Chiasson has described, if you try to allocate memory by calling 
apr_rmm_malloc and there is not enough memory left in RMM, it will simply 
overwrite over previously allocated memory causing a segmentaiton fault when
one tries to access the overwritten memory. I traced through the code and I
managed to find the source of the problem:
in apr_rmm.c line 129 (inside the function find_block_of_size), there is a line
that reads:
if (bestsize - size > sizeof(struct rmm_block_t*)) {

this line has unsigned arithmetic error, when there is no enough memory left to
satisfy the requested size, bestsize value is 0. Say requested size is 28, So
0 - 28 = -28 but because bestsize and size are (unsigned it) that minus number
becomes a huge positive number, 4294967268, which is ofcourse > sizeof(struct 
rmm_block_t*) causing the if statement to evaluate to true instead of false.
Now things get messed up really bad, since best is 0 so this causes an 
(rmm_block_t) blk to get writtin overtop of rmm->base messing up memory that's 
already in use and eventually a crash when that memory is referenced. 

I suggest that line changes to the following:
if (bestsize > sizeof(struct rmm_block_t*) + size ) {

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message