Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 37990 invoked from network); 26 Aug 2009 14:46:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Aug 2009 14:46:27 -0000 Received: (qmail 92487 invoked by uid 500); 26 Aug 2009 14:46:26 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 92419 invoked by uid 500); 26 Aug 2009 14:46:26 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 92410 invoked by uid 99); 26 Aug 2009 14:46:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Aug 2009 14:46:26 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bxs187@case.edu designates 129.22.105.34 as permitted sender) Received: from [129.22.105.34] (HELO mpv4.tis.cwru.edu) (129.22.105.34) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Aug 2009 14:46:16 +0000 Received: from mpv8.TIS.CWRU.edu (mpv8.tis.CWRU.Edu [129.22.105.116]) by mpv4.tis.cwru.edu (MOS 3.10.7-GA) with ESMTP id CWW85418 for ; Wed, 26 Aug 2009 10:45:51 -0400 (EDT) Received: from mail-ew0-f223.google.com (mail-ew0-f223.google.com [209.85.219.223]) by mpv8.TIS.CWRU.edu (MOS 4.1.6-GA) with ESMTP id GEK80296 for ; Wed, 26 Aug 2009 10:30:23 -0400 Received: by mail-ew0-f223.google.com with SMTP id 23so281324ewy.32 for ; Wed, 26 Aug 2009 07:44:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.210.87.14 with SMTP id k14mr5922721ebb.26.1251297847623; Wed, 26 Aug 2009 07:44:07 -0700 (PDT) Reply-To: boya.sun@case.edu In-Reply-To: <3efbea50908220904u5f935d82n44ae2688d5b137d8@mail.gmail.com> References: <3efbea50908220904u5f935d82n44ae2688d5b137d8@mail.gmail.com> Date: Wed, 26 Aug 2009 10:44:07 -0400 Message-ID: <3efbea50908260744t279adaefjd26a624474f20bd6@mail.gmail.com> Subject: Re: four potential bugs discovered from CWRU research group From: Boya Sun To: dev@httpd.apache.org Content-Type: multipart/alternative; boundary=0015174feb5eb73ffd04720c7b73 X-Junkmail-Status: score=10/49, host=mpv4.tis.cwru.edu X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A020204.4A954AA1.0199,ss=1,fgs=0, ip=209.85.219.223, so=2009-07-20 21:54:04, dmn=5.4.3/2007-10-18, mode=single engine X-Junkmail-IWF: false X-Virus-Checked: Checked by ClamAV on apache.org --0015174feb5eb73ffd04720c7b73 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Has anyone looked at these bugs yet? I would really appreciate it if someone can comment on the bugs. On Sat, Aug 22, 2009 at 12:04 PM, Boya Sun wrote: > Dear Apache-httpd programmers: > > This is Boya Sun from Case Western Reserve University. I have sent you > some potential bugs we discovered in our recent research a few days ago, = but > I haven=E2=80=99t got any response yet, so I tried to organize the bugs a= nd > resubmitted these 4 potential bugs. I rewrite the potential bugs and the > potential fixes in the form of patches. Most of the patches are against = the > trunk (revision 806655), except for the second one, which is against the > branch of 2.2.x at revision 806782. The patch for BUG2 is not a real bug > fix, but just some comments indicating where the missing code should be > added, since I am not exactly sure how to fix the bug. > > I STRONGLY RECOMMEND you to go over these potential bugs, since these > potential bugs are very similar to some previous bugs in your issue DB or > some revisions that looks like bug-fix, which provide strong evidence tha= t > these potential bugs are real ones. > > In order to make it easier to understand, for each bug we discovered, I > also show the original bug-fix which we used to discover the new bugs. > > I would REALLY appreciate that you could help us confirm whether these > bug-fixes are valid or not, since this is the ONLY way for us to know > whether our approach of discovering new bugs works. > > Thanks very much in advance! And enjoy viewing the bugs=E2=80=A6=E2=80= =A6:-) > > BUG1: > Description: This bug was found by analyzing bug 31440 ( > https://issues.apache.org/bugzilla/show_bug.cgi?id=3D31440); this fix > replaced "srand((int) time((time_t *) NULL))" function with "seed_rand()"= in > order to improve rand seed generation under the cases "ALG_APMD5" and > "ALG_CRYPT". > We have found that in the file "htdbm.c", there are code segments that ar= e > very similar to the bug being fixed in 31440. We believe that in this fi= le, > "srand((int) time((time_t *) NULL))" should also be replaced with > "seed_rand()" for cases "ALG_APMD5" and "ALG_CRYPT" > > **********************************original > bug-fix************************************* > --- htpasswd.c (revision 629163) > +++ htpasswd.c (revision 629164) > @@ -126,6 +126,18 @@ > } > } > > +static apr_status_t seed_rand() > +{ > + int seed =3D 0; > + apr_status_t rv; > + rv =3D apr_generate_random_bytes((unsigned char*) &seed, sizeof(seed= )); > + if (rv) { > + apr_file_printf(errfile, "Unable to generate random bytes: %pm" > NL, rv); > + return rv; > + } > + srand(seed); > + return rv; > +} > > static void putline(apr_file_t *f, const char *l) > { > @@ -174,7 +186,9 @@ > break; > > case ALG_APMD5: > - (void) srand((int) time((time_t *) NULL)); > + if (seed_rand()) { > + break; > + } > generate_salt(&salt[0], 8); > salt[8] =3D '\0'; > > @@ -190,7 +204,9 @@ > #if (!(defined(WIN32) || defined(TPF) || defined(NETWARE))) > case ALG_CRYPT: > default: > - (void) srand((int) time((time_t *) NULL)); > + if (seed_rand()) { > + break; > + } > to64(&salt[0], rand(), 8); > salt[8] =3D '\0'; > > *****************************discovered potential bug and possible > fix********************* > --- support/htdbm.c (revision 806655) > +++ support/htdbm.c (working copy) > @@ -298,7 +298,9 @@ > break; > > case ALG_APMD5: > - (void) srand((int) time((time_t *) NULL)); > + if (seed_rand()) { > + break; > + } > to64(&salt[0], rand(), 8); > salt[8] =3D '\0'; > apr_md5_encode((const char *)htdbm->userpass, (const char > *)salt, > @@ -314,7 +316,9 @@ > break; > #if (!(defined(WIN32) || defined(NETWARE))) > case ALG_CRYPT: > - (void) srand((int) time((time_t *) NULL)); > + if (seed_rand()) { > + break; > + } > to64(&salt[0], rand(), 8); > salt[8] =3D '\0'; > apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - > 1); > > BUG2: > Description: This bug was found by analyzing revision 602467 ( > http://svn.apache.org/viewvc?view=3Drev&revision=3D602467) > The log of this revision is as follows: > > " * core log.c: Work around possible solutions rejected by apr for the ol= d > implementation of apr_proc_create(), and explicitly pass the output and > error channels to all log processes created. This goes all the way back t= o > piped logs failing to run on win32. Not in or needed at trunk/, as apr 1.= 3.0 > has the proper fix." > > Note that this bug seems to be particular to the 2.2.x branch, so the ewe > searched for similar bugs in < > https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x> at revision > 806782 , instead ot the trunk. > > From the above bug-fix, it seems that before calling "apr_proc_create", > "apr_procattr_child_out_set" and "apr_procattr_child_err_set" should be > invoked on "procattr"; however, we have found a bug that these two functi= ons > are missing where it seems to be appropriate. In this bug, we think that > before calling "ap_os_create_privileged_process", the two functions > "apr_procattr_child_*_set" should be invoked. Note that > "ap_os_create_privileged_process" called "apr_proc_create" inside the > function. > We have also found another evidence that shows that this is likely to be = a > real bug, that is, in another file modules/generators/mod_cgid.c, in > function "cgid_server", the two "apr_procattr_child_*_set" functions did > invoked before calling "ap_os_create_privileged_process". > > The patch I attached is not a real bug-fix, but just some comments > indicating where the two missing functions should be added, since I am no= t > *exactly* sure how to fix the bug. > > **********************************original > bug-fix************************************* > --- log.c (revision 602466) > +++ log.c (revision 602467) > @@ -263,7 +263,7 @@ > apr_status_t rc; > apr_procattr_t *procattr; > apr_proc_t *procnew; > - apr_file_t *errfile; > + apr_file_t *outfile, *errfile; > > if (((rc =3D apr_procattr_create(&procattr, p)) =3D=3D APR_SUCCESS) > && ((rc =3D apr_procattr_cmdtype_set(procattr, > @@ -282,8 +282,11 @@ > pname =3D apr_pstrdup(p, args[0]); > procnew =3D (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew)); > > - if (dummy_stderr) { > - if ((rc =3D apr_file_open_stdout(&errfile, p)) =3D=3D APR_SU= CCESS) > + if ((rc =3D apr_file_open_stdout(&outfile, p)) =3D=3D APR_SUCCES= S) { > + rc =3D apr_procattr_child_out_set(procattr, outfile, NULL); > + if (dummy_stderr) > + rc =3D apr_procattr_child_err_set(procattr, outfile, NUL= L); > + else if ((rc =3D apr_file_open_stderr(&errfile, p)) =3D=3D > APR_SUCCESS) > rc =3D apr_procattr_child_err_set(procattr, errfile, NUL= L); > } > > @@ -887,7 +890,13 @@ > else { > char **args; > const char *pname; > + apr_file_t *outfile, *errfile; > > + if ((status =3D apr_file_open_stdout(&outfile, pl->p)) =3D=3D > APR_SUCCESS) > + status =3D apr_procattr_child_out_set(procattr, outfile, NUL= L); > + if ((status =3D apr_file_open_stderr(&errfile, pl->p)) =3D=3D > APR_SUCCESS) > + status =3D apr_procattr_child_err_set(procattr, errfile, NUL= L); > + > apr_tokenize_to_argv(pl->program, &args, pl->p); > pname =3D apr_pstrdup(pl->p, args[0]); > procnew =3D apr_pcalloc(pl->p, sizeof(apr_proc_t)); > > *****************************discovered potential bug and possible > fix********************* > --- modules/generators/mod_cgi.c =EF=BC=88revision 806782=EF=BC=89 > +++ modules/generators/mod_cgi.c =EF=BC=88working copy=EF=BC=89 > @@ -446,12 +446,16 @@ > ((rc =3D apr_procattr_addrspace_set(procattr, > e_info->addrspace)) !=3D > APR_SUCCESS) || > ((rc =3D apr_procattr_child_errfn_set(procattr, cgi_child_errfn)= ) !=3D > APR_SUCCESS)) { > + /*apr_procattr_child_err_set(procattr,...) and > + apr_procattr_child_out_set(procattr,...) should be invoked here*/ > + > /* Something bad happened, tell the world. */ > ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, > "couldn't set child process attributes: %s", > r->filename); > } > else { > procnew =3D apr_pcalloc(p, sizeof(*procnew)); > + /*ap_proc_create() is invoked inside ap_os_create_privileged_process*/ > rc =3D ap_os_create_privileged_process(r, procnew, command, argv= , > env, > procattr, p); > > BUG3: > Description: This bug was found by analyzing bug 39722 ( > https://issues.apache.org/bugzilla/show_bug.cgi?id=3D39722); this bug add= ed > a check for the return of ap_server_root_relative; we found a bug where a= n > additional check for the return value is missing. > > We have observed that almost in all the places where > ap_server_root_relative is invoked, its return value is checked. In the = bug > we discovered, however, the return value is not checked. I don=E2=80=99t= know > whether it is because that ap_scoreboard_fname is assigned a constant val= ue > DEFAULT_SCOREBOARD. But I think it is safe to add a check to the return > value anyway=E2=80=A6 > > **********************************original > bug-fix************************************* > --- core.c revision 589176 > +++ core.c revision 589177 > @@ -1164,6 +1164,9 @@ > > /* Make it absolute, relative to ServerRoot */ > arg =3D ap_server_root_relative(cmd->pool, arg); > + if (arg =3D=3D NULL) { > + return "DocumentRoot must be a directory"; > + } > > /* TODO: ap_configtestonly && ap_docrootcheck && */ > if (apr_filepath_merge((char**)&conf->ap_document_root, NULL, arg, > > > *****************************discovered potential bug and possible > fix********************* > --- server/scoreboard.c (revision 806655) > +++ server/scoreboard.c (working copy) > @@ -221,7 +221,9 @@ > /* Make sure it's an absolute pathname */ > ap_scoreboard_fname =3D DEFAULT_SCOREBOARD; > fname =3D ap_server_root_relative(pconf, ap_scoreboard_fname= ); > - > + if(!fname){ > + //Add error handling messsage and return > + } > return create_namebased_scoreboard(global_pool, fname); > } > } > > BUG4: > Description: This bug was found by analyzing bug 39518 ( > https://issues.apache.org/bugzilla/show_bug.cgi?id=3D39518); this bug cha= nge > some "apr_palloc / memcpy" construction into a single apr_pmemdup. > > It is actually not a bug-fix, but the change of programming style. > However, I think it=E2=80=99s still worth mentioning some of the code seg= ments we > discovered which need to be refactored the same way as the bug-fix. > > **********************************original > bug-fix************************************* > --- mod_include.c (revision 557836) > +++ mod_include.c (revision 557837) > @@ -3225,9 +3225,8 @@ > > /* check if we mismatched earlier and have to release some > chars */ > if (release && (ctx->flags & SSI_FLAG_PRINTING)) { > - char *to_release =3D apr_palloc(ctx->pool, release); > + char *to_release =3D apr_pmemdup(ctx->pool, > intern->start_seq, release); > > - memcpy(to_release, intern->start_seq, release); > newb =3D apr_bucket_pool_create(to_release, release, > ctx->pool, > f->c->bucket_alloc); > APR_BRIGADE_INSERT_TAIL(pass_bb, newb); > *****************************discovered potential bug and possible > fix********************* > --- server/util_filter.c (revision 806655) > +++ server/util_filter.c (working copy) > @@ -74,9 +74,8 @@ > if (parent->nchildren =3D=3D parent->size) { > filter_trie_child_ptr *new; > parent->size *=3D 2; > - new =3D (filter_trie_child_ptr *)apr_palloc(p, parent->size * > - > sizeof(filter_trie_child_ptr)); > - memcpy(new, parent->children, parent->nchildren * > + > + new =3D (filter_trie_child_ptr *)apr_pmemdup(p, parent->children, > parent->nchildren * > sizeof(filter_trie_child_ptr)); > parent->children =3D new; > } > --- modules/http/mod_mime.c (revision 806655) > +++ modules/http/mod_mime.c (working copy) > @@ -182,10 +182,10 @@ > APR_HASH_KEY_STRING); > if (exinfo && *(const char**)((char *)exinfo + suffix[i].offset)= ) > { > extension_info *copyinfo =3D exinfo; > - exinfo =3D (extension_info*)apr_palloc(p, sizeof(*exinfo)); > + exinfo =3D (extension_info*)apr_pmemdup(p,copyinfo, > sizeof(*exinfo)); > apr_hash_set(mappings, suffix[i].name, > APR_HASH_KEY_STRING, exinfo); > - memcpy(exinfo, copyinfo, sizeof(*exinfo)); > + > *(const char**)((char *)exinfo + suffix[i].offset) =3D NULL; > } > } > > > > > -- > BOYA SUN > Computer Science Division > Electrical Engineering & Computer Science Department > 513 Olin Building > Case Western Reserve University > 10900 Euclid Avenue > Cleveland, OH 44106 > boya.sun@case.edu > --=20 BOYA SUN Computer Science Division Electrical Engineering & Computer Science Department 513 Olin Building Case Western Reserve University 10900 Euclid Avenue Cleveland, OH 44106 boya.sun@case.edu --0015174feb5eb73ffd04720c7b73 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Has anyone looked at these bugs yet?=C2=A0 I would really appreciate it if = someone can comment on the bugs.

On Sat, = Aug 22, 2009 at 12:04 PM, Boya Sun <bxs187@case.edu> wrote:

Dear Apache-ht= tpd programmers:

This is Boya Sun from Case Western Reserve University.=C2=A0 I have sent= you some potential bugs we discovered in our recent research a few days ag= o, but I haven=E2=80=99t got any response yet, so I tried to organize the b= ugs and resubmitted these 4 potential bugs.=C2=A0 I rewrite the potential b= ugs and the potential fixes in the form of patches.=C2=A0 Most of the patch= es are against the trunk (revision 806655), except for the second one, whic= h is against the branch of 2.2.x at revision 806782. The patch for BUG2 is = not a real bug fix, but just some comments indicating where the missing cod= e should be added, since I am not exactly sure how to fix the bug.

I STRONGLY RECOMMEND you to go over these potential bugs, since these po= tential bugs are very similar to some previous bugs in your issue DB or som= e revisions that looks like bug-fix, which provide strong evidence that the= se potential bugs are real ones.

In order to make it easier to understand, for each bug we discovered, I = also show the original bug-fix which we used to discover the new bugs.

I would REALLY appreciate that you could help us confirm whether these b= ug-fixes are valid or not, since this is the ONLY way for us to know whethe= r our approach of discovering new bugs works.

Thanks very much in advance!=C2=A0 And enjoy viewing the bugs=E2=80=A6= =E2=80=A6:-)

BUG1:
Description: This bug was found by analyzing bug 31440=C2=A0 (<= a href=3D"https://issues.apache.org/bugzilla/show_bug.cgi?id=3D31440" targe= t=3D"_blank">https://issues.apache.org/bugzilla/show_bug.cgi?id=3D31440= );=C2=A0 this fix replaced "srand((int) time((time_t *) NULL))" f= unction with "seed_rand()" in order to improve rand seed generati= on under the cases "ALG_APMD5" and "ALG_CRYPT".
We have found that in the file "htdbm.c", there are code segments= that are very similar to the bug being fixed in 31440.=C2=A0 We believe th= at in this file, "srand((int) time((time_t *) NULL))" should also= be replaced with "seed_rand()" for cases "ALG_APMD5" a= nd "ALG_CRYPT"

**********************************original bug-fix**********************= ***************
--- htpasswd.c=C2=A0(revision 629163)
+++ htpasswd.c= =C2=A0(revision 629164)
@@ -126,6 +126,18 @@
=C2=A0=C2=A0=C2=A0=C2=A0= }
=C2=A0}
=C2=A0
+static apr_status_t seed_rand()
+{
+=C2=A0=C2=A0=C2=A0 int seed =3D 0;
+=C2=A0=C2=A0=C2=A0 apr_status= _t rv;
+=C2=A0=C2=A0=C2=A0 rv =3D apr_generate_random_bytes((unsigned ch= ar*) &seed, sizeof(seed));
+=C2=A0=C2=A0=C2=A0 if (rv) {
+=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apr_file_printf(errfile, "Unable = to generate random bytes: %pm" NL, rv);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return rv;
+=C2=A0=C2=A0=C2= =A0 }
+=C2=A0=C2=A0=C2=A0 srand(seed);
+=C2=A0=C2=A0=C2=A0 return rv;=
+}
=C2=A0
=C2=A0static void putline(apr_file_t *f, const char *l)=
=C2=A0{
@@ -174,7 +186,9 @@
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 break;
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0 case ALG_APMD5:-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (void) srand((int) time((time= _t *) NULL));
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (seed_rand()) {
+=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 generate_salt(&salt[0], 8);
=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 salt[8] =3D '\0';
=C2=A0
@@ -190,= 7 +204,9 @@
=C2=A0#if (!(defined(WIN32) || defined(TPF) || defined(NETWA= RE)))
=C2=A0=C2=A0=C2=A0=C2=A0 case ALG_CRYPT:
=C2=A0=C2=A0=C2=A0=C2=A0 defaul= t:
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (void) srand((int) time((= time_t *) NULL));
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (seed_r= and()) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 break;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to64(&salt[0], rand(), 8);
= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 salt[8] =3D '\0';<= /p>

*****************************discovered potential bug and possible fix**= *******************
--- support/htdbm.c=C2=A0(revision 806655)
+++ su= pport/htdbm.c=C2=A0(working copy)
@@ -298,7 +298,9 @@
=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 case ALG_APMD5:
-=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (void) srand((= int) time((time_t *) NULL));
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 if (seed_rand()) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+= =C2=A0=C2=A0=C2=A0}
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 to64(&salt[0], rand(), 8);
=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 salt[8] =3D '\0&= #39;;
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ap= r_md5_encode((const char *)htdbm->userpass, (const char *)salt,
@@ -3= 14,7 +316,9 @@
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;=C2=A0#if (!(defined(WIN32) || defined(NETWARE)))
=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 case ALG_CRYPT:
-=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (void) srand((int) time((time_t = *) NULL));
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (see= d_rand()) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
+=C2=A0=C2=A0=C2=A0}
=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to64(&am= p;salt[0], rand(), 8);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 salt[8] =3D '\0';
=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apr_cpystrn(cpw, crypt(= htdbm->userpass, salt), sizeof(cpw) - 1);

BUG2:
Description: This bug was found by analyzing revision 602467 (<= a href=3D"http://svn.apache.org/viewvc?view=3Drev&revision=3D602467" ta= rget=3D"_blank">http://svn.apache.org/viewvc?view=3Drev&revision=3D6024= 67)
The log of this revision is as follows:

"=C2=A0* core log.c: Work around possible solutions rejected by apr= for the old implementation of apr_proc_create(), and explicitly pass the o= utput and error channels to all log processes created. This goes all the wa= y back to piped logs failing to run on win32. Not in or needed at trunk/, a= s apr 1.3.0 has the proper fix."

Note that this bug seems to be particular to the 2.2.x branch, so the ew= e searched for similar bugs in <https://svn.apache.org/re= pos/asf/httpd/httpd/branches/2.2.x> at revision 806782 , instead ot = the trunk.=C2=A0

From the above bug-fix, it seems that before calling "apr_proc_crea= te", "apr_procattr_child_out_set" and "apr_procattr_chi= ld_err_set" should be invoked on "procattr"; however, we hav= e found a bug that these two functions are missing where it seems to be app= ropriate.=C2=A0 In this bug, we think that before calling "ap_os_creat= e_privileged_process", the two functions "apr_procattr_child_*_se= t" should be invoked.=C2=A0 Note that "ap_os_create_privileged_pr= ocess" called "apr_proc_create" inside the function.=C2=A0 <= br> We have also found another evidence that shows that this is likely to be a = real bug,=C2=A0 that is, in another file modules/generators/mod_cgid.c, in = function "cgid_server", the two "apr_procattr_child_*_set&qu= ot; functions did invoked before calling "ap_os_create_privileged_proc= ess".

The patch I attached is not a real bug-fix, but just some comments indic= ating where the two missing functions should be added, since I am not *exac= tly* sure how to fix the bug.

**********************************original bug-fix**********************= ***************
--- log.c=C2=A0(revision 602466)
+++ log.c=C2=A0(revi= sion 602467)
@@ -263,7 +263,7 @@
=C2=A0=C2=A0=C2=A0=C2=A0 apr_status_= t rc;
=C2=A0=C2=A0=C2=A0=C2=A0 apr_procattr_t *procattr;
=C2=A0=C2=A0=C2=A0=C2=A0 apr_proc_t *procnew;
-=C2=A0=C2=A0=C2=A0 apr_fi= le_t *errfile;
+=C2=A0=C2=A0=C2=A0 apr_file_t *outfile, *errfile;
=C2= =A0
=C2=A0=C2=A0=C2=A0=C2=A0 if (((rc =3D apr_procattr_create(&proca= ttr, p)) =3D=3D APR_SUCCESS)
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 && ((rc =3D apr_procattr_cmdtype_set(procattr,
@@ -282,8 +282,11 @@
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pn= ame =3D apr_pstrdup(p, args[0]);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 procnew =3D (apr_proc_t *)apr_pcalloc(p, sizeof(*procnew));
= =C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (dummy_stderr) {-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ((= rc =3D apr_file_open_stdout(&errfile, p)) =3D=3D APR_SUCCESS)
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ((rc =3D apr_file_open_stdou= t(&outfile, p)) =3D=3D APR_SUCCESS) {
+=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 rc =3D apr_procattr_child_out_set(p= rocattr, outfile, NULL);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 if (dummy_stderr)
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 rc =3D apr_pro= cattr_child_err_set(procattr, outfile, NULL);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 else if= ((rc =3D apr_file_open_stderr(&errfile, p)) =3D=3D APR_SUCCESS)
=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 rc =3D apr_procattr_child_err_set(procattr, errfile, NUL= L);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
=C2=A0
@@ -= 887,7 +890,13 @@
=C2=A0=C2=A0=C2=A0=C2=A0 else {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 char **args;
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 const char *pname;
+=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apr_file_t *outfile, *errfile;
=C2=A0
= +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ((status =3D apr_file_open_s= tdout(&outfile, pl->p)) =3D=3D APR_SUCCESS)
+=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 status =3D apr_procattr_ch= ild_out_set(procattr, outfile, NULL);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if ((status =3D apr_file_open_s= tderr(&errfile, pl->p)) =3D=3D APR_SUCCESS)
+=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 status =3D apr_procattr_ch= ild_err_set(procattr, errfile, NULL);
+
=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 apr_tokenize_to_argv(pl->program, &args, pl-&g= t;p);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pname =3D apr_pstrdup(pl-&= gt;p, args[0]);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 procnew= =3D apr_pcalloc(pl->p, sizeof(apr_proc_t));

*****************************discovered potential bug and possible fix**= *******************
--- modules/generators/mod_cgi.c=C2=A0=EF=BC=88revis= ion 806782=EF=BC=89
+++ modules/generators/mod_cgi.c=C2=A0=EF=BC=88worki= ng copy=EF=BC=89
@@ -446,12 +446,16 @@
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ((rc =3D apr_procattr_addr= space_set(procattr,
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 e_info->addrspace)) !=3D APR_SUC= CESS) ||
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ((rc =3D apr_p= rocattr_child_errfn_set(procattr, cgi_child_errfn)) !=3D APR_SUCCESS)) { +=C2=A0=C2=A0=C2=A0=C2=A0 /*apr_procattr_child_err_set(procattr,...) and+=C2=A0=C2=A0=C2=A0 apr_procattr_child_out_set(procattr,...) should be inv= oked here*/
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0
= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /* Something bad happened,= tell the world. */
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ap_= log_rerror(APLOG_MARK, APLOG_ERR, rc, r,
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "couldn'= t set child process attributes: %s", r->filename);
=C2=A0=C2=A0= =C2=A0=C2=A0 }
=C2=A0=C2=A0=C2=A0=C2=A0 else {
=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 procnew =3D apr_pcalloc(p, sizeof(*procnew));+=C2=A0=C2=A0/*ap_proc_create() is invoked inside ap_os_create_privileged= _process*/
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 rc =3D ap_os_create_privil= eged_process(r, procnew, command, argv, env,
=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 procattr, p);

BUG3:
Description: This bug was found by analyzing bug 39722 (https://issues.apache.org/bugzilla/show_bug.cgi?id=3D39722); thi= s bug added a check for the return of ap_server_root_relative; we found a b= ug where an additional check for the return value is missing.

We have observed that almost in all the places where ap_server_root_rela= tive is invoked, its return value is checked.=C2=A0 In the bug we discovere= d, however, the return value is not checked.=C2=A0 I don=E2=80=99t know whe= ther it is because that ap_scoreboard_fname is assigned a constant value DE= FAULT_SCOREBOARD.=C2=A0 But I think it is safe to add a check to the return= value anyway=E2=80=A6

**********************************original bug-fix**********************= ***************
--- core.c=C2=A0revision 589176
+++ core.c=C2=A0revis= ion 589177
@@ -1164,6 +1164,9 @@
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0 /= * Make it absolute, relative to ServerRoot */
=C2=A0=C2=A0=C2=A0=C2=A0 arg =3D ap_server_root_relative(cmd->pool, arg)= ;
+=C2=A0=C2=A0=C2=A0 if (arg =3D=3D NULL) {
+=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 return "DocumentRoot must be a directory";<= br>+=C2=A0=C2=A0=C2=A0 }
=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0 /* TODO: ap_= configtestonly && ap_docrootcheck && */
=C2=A0=C2=A0=C2=A0=C2=A0 if (apr_filepath_merge((char**)&conf->ap_do= cument_root, NULL, arg,


*****************************discovered potential bug and possible f= ix*********************
--- server/scoreboard.c=C2=A0(revision 806655)+++ server/scoreboard.c=C2=A0(working copy)
@@ -221,7 +221,9 @@
=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /* Ma= ke sure it's an absolute pathname */
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ap= _scoreboard_fname =3D DEFAULT_SCOREBOARD;
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 fname =3D ap_server_root_relativ= e(pconf, ap_scoreboard_fname);
-
+=C2=A0=C2=A0=C2=A0if(!fname){
+= =C2=A0=C2=A0=C2=A0=C2=A0//Add error handling messsage and return
+=C2=A0= =C2=A0=C2=A0}
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 return create_namebased_scoreboard(global_pool, fname);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
=C2=A0=C2=A0=C2=A0=C2= =A0 }

BUG4:
Description: This bug was found by analyzing bug 39518 (https://issues.apache.org/bugzilla/show_bug.cgi?id=3D39518); th= is bug change some "apr_palloc / memcpy" construction into a sing= le apr_pmemdup.=C2=A0

It is actually not a bug-fix, but the change of programming style.=C2=A0= However, I think it=E2=80=99s still worth mentioning some of the code segm= ents we discovered which need to be refactored the same way as the bug-fix.=

**********************************original bug-fix**********************= ***************
--- mod_include.c=C2=A0(revision 557836)
+++ mod_incl= ude.c=C2=A0(revision 557837)
@@ -3225,9 +3225,8 @@
=C2=A0
=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /* check= if we mismatched earlier and have to release some chars */
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if= (release && (ctx->flags & SSI_FLAG_PRINTING)) {
-=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 char *to_release =3D apr_palloc(ctx->pool, release);
+=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 char *to_release =3D apr_pmemdup(ctx->pool, intern->star= t_seq, release);
=C2=A0
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 memcpy(to_release, intern->start_seq, releas= e);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 newb =3D apr_bucket_pool_create(to_release, = release, ctx->pool,
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 f->c->bucket_alloc);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 APR_BRIGADE_INSERT_TAIL(pass_bb, newb);

*****************************discovered potential bug and possible fix= *********************
--- server/util_filter.c=C2=A0(revision 806655)+++ server/util_filter.c=C2=A0(working copy)
@@ -74,9 +74,8 @@
=C2= =A0=C2=A0=C2=A0=C2=A0 if (parent->nchildren =3D=3D parent->size) { =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 filter_trie_child_ptr *new= ;
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 parent->size *=3D = 2;
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 new =3D (filter_trie_chil= d_ptr *)apr_palloc(p, parent->size *
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 sizeof(filter_trie_child_ptr));
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 memcpy(new, parent->children= , parent->nchildren *
+
+=C2=A0=C2=A0new =3D (filter_trie_child_pt= r *)apr_pmemdup(p, parent->children, parent->nchildren *
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 sizeof(filter_trie_child_ptr));
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 parent->children =3D ne= w;
=C2=A0=C2=A0=C2=A0=C2=A0 }
--- modules/http/mod_mime.c=C2=A0(revision 806655)
+++ modules/http= /mod_mime.c=C2=A0(working copy)
@@ -182,10 +182,10 @@
=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 APR_HASH_KEY_STRING);
=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (exinfo && *(const char**)(= (char *)exinfo + suffix[i].offset)) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ex= tension_info *copyinfo =3D exinfo;
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 exinfo =3D (extension_info*)apr_palloc(p, si= zeof(*exinfo));
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 exinfo =3D (extension_info*)apr_pmemdup(p,copyinfo, sizeof(*exinfo))= ;
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 apr_hash_set(mappings, suffix[i].name,
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= APR_HASH_KEY_STRING, exinfo);
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 memcpy(exinfo, copyinfo, sizeof(*exinfo));
+=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 *(const char**)((char *)exinfo + suffix[i].offset) =3D NULL;
=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
=C2=A0=C2=A0=C2=A0=C2=A0 }<= /div>




--
BOYA SUN
Computer Science Division
Electrical E= ngineering & Computer Science Department
513 Olin Building
Case W= estern Reserve University
10900 Euclid Avenue
Cleveland, OH 44106
boya.sun@case.edu




--
BOYA SUN
Computer Sc= ience Division
Electrical Engineering & Computer Science Department<= br>513 Olin Building
Case Western Reserve University
10900 Euclid Ave= nue
Cleveland, OH 44106
boya.sun@case.e= du
--0015174feb5eb73ffd04720c7b73--