httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Wang <xwang_t...@yahoo.com>
Subject Severe memory corruption problems in apr_rmm_* function of Apache 2.0.48
Date Sat, 06 Dec 2003 00:06:44 GMT
Hi All,

In the past a few days, I was trying to figure out a shared memory corruption
problem in my module.  Eventually I found this bug in apr_rmm.c's
find_block_of_size() function.

It is severe enough to mess up the whole rmm memory blocks and make apr_rmm_*
functions totally not workable.  The source code version I am referring to is
2.0.48.

Thanks!

-- Kevin

Here are the problems and the fixes:

1. in apr_rmm.c: line 129

if (bestsize - size > sizeof(struct rmm_block_t*)) {

>>>

if (bestsize - size > sizeof(rmm_block_t)) {


2.  in apr_rmm.c: line 141

blk = (rmm_block_t*)((char*)rmm->base + blk->next);

>>>

blk = (rmm_block_t*)((char*)rmm->base + new->next);

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Mime
View raw message