httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwool...@apache.org
Subject cvs commit: httpd-2.0/modules/http http_protocol.c
Date Fri, 24 Aug 2001 20:27:40 GMT
jwoolley    01/08/24 13:27:40

  Modified:    modules/http http_protocol.c
  Log:
  Fix a double-free condition when byterange requests are made on brigades
  containing any bucket that cannot be copied natively (ie, pipe or socket
  buckets).
  
  Before, we were reading that bucket to morph it to a heap bucket and then
  taking the str that heap bucket points to and placing it in a second,
  completely separate heap bucket.  That means we'd have two apr_bucket/
  apr_bucket_heap pairs each with a refcount of 1 (rather than two apr_buckets
  and a single apr_bucket_heap with a refcount of 2).  str would then be
  doubly-freed when the second of those two buckets was destroyed.
  
  Revision  Changes    Path
  1.355     +6 -1      httpd-2.0/modules/http/http_protocol.c
  
  Index: http_protocol.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/http/http_protocol.c,v
  retrieving revision 1.354
  retrieving revision 1.355
  diff -u -d -u -r1.354 -r1.355
  --- http_protocol.c	2001/08/16 03:58:16	1.354
  +++ http_protocol.c	2001/08/24 20:27:40	1.355
  @@ -2468,8 +2468,13 @@
               apr_size_t len;
   
               if (apr_bucket_copy(ec, &foo) != APR_SUCCESS) {
  +                /* we assume here that if copy failed we can morph
  +                 * the bucket into a copyable one by reading it... normally
  +                 * copy won't return anything but APR_SUCCESS or APR_ENOTIMPL
  +                 */
  +                /* XXX: check for failure? */
                   apr_bucket_read(ec, &str, &len, APR_BLOCK_READ);
  -                foo = apr_bucket_heap_create(str, len, 0, NULL);
  +                apr_bucket_copy(ec, &foo);
               }
               APR_BRIGADE_INSERT_TAIL(bsend, foo);
               ec = APR_BUCKET_NEXT(ec);
  
  
  

Mime
View raw message