httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Stoddard" <b...@wstoddard.com>
Subject Re: mod_mem_cache segfault
Date Mon, 17 Jun 2002 22:06:13 GMT
I made a mistake in the analysis below.  I can see cache_pq_remove() is not removing the
object from the PQ in some cases. I think the problem may be in cache_pq_pop() but I
haven't quite figured out how this function is supposed to work...

Bill

> Some more analysis ... The PQ code has an array indexing problem. You can see the
problem
> at work in cache_pq_remove code:
>
> apr_status_t cache_pq_remove(cache_pqueue_t *q, void* d)
> {
>     apr_ssize_t posn;
>     void *popped = NULL;
>     long pri_popped;
>     long pri_removed;
>
>     posn  = q->get(d);
>
> /*
>  * posn is the position of the entry being removed from the PQ indexed starting from
1.
>  */
>     popped = cache_pq_pop(q);
>
>     if (!popped)
>         return APR_EGENERAL;
>
>     if (d == popped) {
>         return APR_SUCCESS;
>     }
>     pri_popped = q->pri(popped);
>     pri_removed = q->pri(d);
>
>     q->d[posn] = popped;
>
> /*
>  * Ooops.... we just whacked entry posn indexed starting from 0, which is not the one
we
> wanted.
>  */
>
> I have also noticed that q->d[0] always points to invalid memory which implies that
the
> q->d array may be subject to overflow as well (ie, accessing position 5 in an array
of
> size 5).
>
> Bill
>
>


Mime
View raw message