httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Havard" <bri...@kheldar.apana.org.au>
Subject Re: cvs commit: httpd-2.0/modules/filters mod_include.c
Date Sat, 18 Aug 2001 13:19:40 GMT
On Sat, 18 Aug 2001 22:47:24 +1000 (EST), Brian Havard wrote:

>On 18 Aug 2001 08:37:42 -0400, Jeff Trawick wrote:
>
>>"Brian Havard" <brianh@kheldar.apana.org.au> writes:
>>
>>> I'm seeing a SEGV when parsing a file > 8192 bytes (even 1 byte greater).
>>> Notable points:
>>> - Stack is trashed, can't get a backtrace
>>> - The client receives the full & correct response
>>> - Appears to be a call to a null function pointer (EIP=0 in trap log),
>>> destroying the buckets. It could just be a symptom of other corruption
>>> though.
>>> - It still crashes even if the output is shorter than 8192 due to tag
>>> parsing.
>>> 
>>> This is on OS/2 where there's no mmap or sendfile. We've seen before that
>>> the non-mmap code path is different enough to have its own bugs....
>>
>>Can you post your test file please?
>>
>>I just turned off APR_HAS_MMAP on Linux (and verified that the mmap
>>bucket code was missing!), then re-ran tests where a tag appears at
>>offsets 1 through 10,000.  I didn't hit any problems in the server,
>>and the included file was expanded properly.
>
>File content is irrelevant, I get the same result with 8193 spaces.
>If you're not seeing the same bug I guess it must be some factor other than
>mmap.

Found it. In apr_buckets_file.c:file_read() line ~189 it makes a bucket
manually but neglects to set the free function. This fixes the SEGV for me,
but why am I the only one getting it?????


Index: apr_buckets_file.c
===================================================================
RCS file: /home/cvs/apr-util/buckets/apr_buckets_file.c,v
retrieving revision 1.53
diff -u -r1.53 apr_buckets_file.c
--- apr_buckets_file.c	2001/08/08 05:58:15	1.53
+++ apr_buckets_file.c	2001/08/18 13:11:09
@@ -191,6 +191,7 @@
         b->length = filelength;
         b->data   = a;
         b->type   = &apr_bucket_type_file;
+        b->free   = free;
         APR_BUCKET_INSERT_AFTER(e, b);
     }
     else {

-- 
 ______________________________________________________________________________
 |  Brian Havard                 |  "He is not the messiah!                   |
 |  brianh@kheldar.apana.org.au  |  He's a very naughty boy!" - Life of Brian |
 ------------------------------------------------------------------------------


Mime
View raw message