httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject ap_proxy_share_worker/balancer possible use of freed mem
Date Tue, 15 Oct 2013 19:54:28 GMT
Helo,

these functions may try to log malloc()ed worker/balancer's shared data
freed just earlier.

Yet, mod_proxy does not seem to set the ap_proxy_define_worker/balancer()'s
do_malloc flag anywhere, so malloc()ed shared data should not occur.

However that's allowed by the API...
A possible patch follows.

Regards,
Yann.

Index: modules/proxy/proxy_util.c
===================================================================
--- modules/proxy/proxy_util.c    (revision 1532496)
+++ modules/proxy/proxy_util.c    (working copy)
@@ -1218,11 +1218,13 @@ PROXY_DECLARE(apr_status_t) ap_proxy_share_balance
     } else {
         action = "re-using";
     }
+    balancer->s = shm;
+    balancer->s->index = i;
+
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, APLOGNO(02337)
                  "%s shm[%d] (0x%pp) for %s", action, i, (void *)shm,
                  balancer->s->name);
-    balancer->s = shm;
-    balancer->s->index = i;
+
     /* the below should always succeed */
     lbmethod = ap_lookup_provider(PROXY_LBMETHOD, balancer->s->lbpname,
"0");
     if (lbmethod) {
@@ -1731,12 +1733,13 @@ PROXY_DECLARE(apr_status_t) ap_proxy_share_worker(
     } else {
         action = "re-using";
     }
+    worker->s = shm;
+    worker->s->index = i;
+
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, APLOGNO(02338)
                  "%s shm[%d] (0x%pp) for worker: %s", action, i, (void
*)shm,
                  ap_proxy_worker_name(NULL, worker));

-    worker->s = shm;
-    worker->s->index = i;
     return APR_SUCCESS;
 }
 [EOS]

Mime
View raw message