httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Stoddard" <b...@wstoddard.com>
Subject mod_mem_cache segfault
Date Mon, 17 Jun 2002 20:57:40 GMT
Some more analysis ... The PQ code has an array indexing problem. You can see the problem
at work in cache_pq_remove code:

apr_status_t cache_pq_remove(cache_pqueue_t *q, void* d)
{
    apr_ssize_t posn;
    void *popped = NULL;
    long pri_popped;
    long pri_removed;

    posn  = q->get(d);

/*
 * posn is the position of the entry being removed from the PQ indexed starting from 1.
 */
    popped = cache_pq_pop(q);

    if (!popped)
        return APR_EGENERAL;

    if (d == popped) {
        return APR_SUCCESS;
    }
    pri_popped = q->pri(popped);
    pri_removed = q->pri(d);

    q->d[posn] = popped;

/*
 * Ooops.... we just whacked entry posn indexed starting from 0, which is not the one we
wanted.
 */

I have also noticed that q->d[0] always points to invalid memory which implies that the
q->d array may be subject to overflow as well (ie, accessing position 5 in an array of
size 5).

Bill



Mime
View raw message