Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Message-ID: <010301c1a7a4$9054b470$6501a8c0@sashimi>
From: "Bill Stoddard" <bill@wstoddard.com>
To: <dev@httpd.apache.org>
Subject: core_output_filter seg fault
Date: Sun, 27 Jan 2002 21:36:06 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

I am getting a seg fault attempting to write bogus buffers to the network.
apr_brigade_write() appears to be the culprit. I send an MMAP bucket into the
apr_brigade_write and it creates a transient bucket to point at the contents of the MMAP
bucket and hangs this transient on the ctx->b brigade. apr_brigade_destroy() whacks the
MMAP pointed to by the transient bucket in ctx->b, resulting in a segfault when we try to
write the bogus buffer to the network.

The comment is, um, not reassuring.  Any ideas?

Bill

APR_BRIGADE_FOREACH(bucket, b) {
   const char *str;
   apr_size_t n;

   rv = apr_bucket_read(bucket, &str, &n, APR_BLOCK_READ);

  /* This apr_brigade_write does not use a flush function
     because we assume that we will not write enough data
     into it to cause a flush. However, if we *do* write
     "too much", then we could end up with transient
     buckets which would suck. This works for now, but is
     a bit shaky if changes are made to some of the
     buffering sizes. Let's do an assert to prevent
     potential future problems... */
     AP_DEBUG_ASSERT(AP_MIN_BYTES_TO_WRITE <=
                     APR_BUCKET_BUFF_SIZE);
     if (rv != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_ERR, rv, c->base_server,
                           "core_output_filter: Error reading from bucket.");
            return rv;
     }
      apr_brigade_write(ctx->b, NULL, NULL, str, n);
}
apr_brigade_destroy(b