Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 17737 invoked from network); 30 Jul 2009 10:23:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 30 Jul 2009 10:23:18 -0000 Received: (qmail 19040 invoked by uid 500); 30 Jul 2009 10:23:18 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 18951 invoked by uid 500); 30 Jul 2009 10:23:18 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 18942 invoked by uid 99); 30 Jul 2009 10:23:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jul 2009 10:23:18 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 30 Jul 2009 10:23:15 +0000 Received: (qmail 17579 invoked by uid 2161); 30 Jul 2009 10:22:52 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id F13341721C for ; Thu, 30 Jul 2009 12:22:40 +0200 (CEST) Message-ID: <4A717483.2020401@apache.org> Date: Thu, 30 Jul 2009 12:22:59 +0200 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Segfault with fix for CVE-2009-1891 References: <46300.194.224.98.149.1248802525.squirrel@www.sfritsch.de> <4A6F6C73.2040407@apache.org> <46701.194.224.98.149.1248868348.squirrel@www.sfritsch.de> <4A705D6A.20903@apache.org> <44136.194.224.98.149.1248943719.squirrel@www.sfritsch.de> In-Reply-To: <44136.194.224.98.149.1248943719.squirrel@www.sfritsch.de> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On 07/30/2009 10:48 AM, Stefan Fritsch wrote: >> Right, it is not really helpful, but as you seem to be able to reproduce >> the issue can you please create a backtrace on your own, preferably with >> an unstripped and -g compiled php (which doesn't seem to be the case in >> the >> current backtrace) . > > Backtrace is attached. Looking at it again, the brigade that contains the > transient bucket does not seem to belong to the oldwrite filter. It's the > brigade that is used by mod_php to pass the eos bucket. But since mod_php > only creates eos buckets and uses ap_fwrite for everything else, I don't > know where the transient bucket comes from. I guess this is because they reuse the brigade for sending the EOS bucket (which is fine). They should simply cleanup this brigade before sending the EOS bucket down the chain. Regards R�diger