Return-Path: 
 <apache-bugdb-owner-apache-bugdb-archive=hyperreal.org@apache.org>
Delivered-To: apache-bugdb-archive@hyperreal.org
Received: (qmail 20651 invoked by uid 6000); 1 Dec 1997 22:10:06 -0000
Received: (qmail 20608 invoked by uid 2001); 1 Dec 1997 22:10:01 -0000
Received: (qmail 27646 invoked by uid 2012); 1 Dec 1997 20:59:46 -0000
Message-Id: <19971201205946.27645.qmail@hyperreal.org>
Date: 1 Dec 1997 20:59:46 -0000
From: Roy Wood <Roy.Wood@unisys.com>
Reply-To: Roy.Wood@unisys.com
To: apbugs@hyperreal.org
X-Send-Pr-Version: 3.2
Subject: mod_cern_meta/1500: mod_cern_meta corrupts memory pool
Sender: apache-bugdb-owner@apache.org
Precedence: bulk


>Number:         1500
>Category:       mod_cern_meta
>Synopsis:       mod_cern_meta corrupts memory pool
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Dec  1 14:10:01 PST 1997
>Last-Modified:
>Originator:     Roy.Wood@unisys.com
>Organization:
apache
>Release:        1.2.4
>Environment:
Unixware 2.1.2
Stronghold 2.1.1
>Description:
Running Stronghold 2.1.1 causes the username field of the log to be corrupted
with HTML from page served.  We added debugging trace statements and determined
that the base Apache code was at fault.  
 
The problem appears that the cern_meta_module in function add_cern_meta_data()
calls the destroy_sub_req() function. This frees the memory sub pool that was 
being used to store the Remote User ID and a lot of other key pieces of 
information. This free should not take place until the transaction has been 
totally completed. Normally the http_core module frees all memory pools at the
end of the transaction which is where it should occur. Because the memory pool 
that contains the Remote User ID has become free, the content of the Remote 
User ID field may or may not get over written by allocations that follow the 
freeing of the pool. 

The addition of the ssl module (Stronghold) generates a lot more memory 
allocations to occur after the premature freeing of the Remote User ID pool 
and because of this, we did not see the problem in the basic non-ssl version 
of the Apache server until after the Stronghold version was installed.

>How-To-Repeat:
Run something that uses a large amount of memory from the servers memory pool.
>Fix:
We believe solution to this problem is to NOT allow the cern_meta_module to 
free the memory pool (just comment out the two calls destroy_sub_req(rr)). 
The pool which contains the Remote User ID field will then get freed by the 
http_core module when everyone is finished with the transaction.
%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]