httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (David Robinson)
Subject Re: free_env
Date Wed, 26 Apr 1995 17:08:00 GMT
> > I can't see any side-effect after commenting out both
> > free_env() calls after cgi_stub()
> > 
> > The core dumping stops.
> hmm, the original mail has vanished...
> I was seeing 
> httpd: caught SIGBUS, dumping core
> after a script successfully redirected to another script or to
> a html which included cgi.
> calls to free_env() after a call to cgi_stub() were the cause.
> thoughts anyone ?
> robh

Yuk Yuk Yuk. The fault is in make_env(), which wasn't done any favours by

It allocates a new array (newenv) larger than env, copies the pointers
across, and _frees the old env_. i.e. (simplified)

char **new_env(char **env, int to_add, int *pos)
    int x;
    char **newenv;

    for(x=0; env[x]; x++);
    newenv = (char **)malloc((to_add+x+1)*(sizeof(char *)));
    for(x=0; env[x]; x++) newenv[x] = env[x];
    *pos = x;
    return newenv;

Some parts of the CGI code and server-side includes code contain, essentially:
(see send_parsed_file and exec_cgi_script)
   env = new_env(in_headers_env, ..)
   [add more headers to env]
   [use env]

Net result; in_headers_env, the global created by get_mime_headers(), is
free'd, as are all the strings it contained. Better not try and use it again,
especially after calling malloc()...

I don't think E25 helped the situation; this changed new_env to do

char **new_env(char **env, int to_add, int *pos)
    *pos = x;
    in_headers_env = newenv;
    return newenv;

which will make it even more likely that the global gets trashed.

1 Rob: remove your terrible hack to new_env, instead change the calls to
  new_env to updated in_headers_env where appropriate.

2 Split new_env into two routines.
   a) enlarge_env,  for modifying an environment; this would free the
      env pointer passed to it
   b) dup_env, for duplicating an environment; this would strdup all the
      environmnent strings, as well as the pointer array, and _not_ free
      the original pointer array.


View raw message