From: Eric Covener Date: Wed, 12 Nov 2014 17:32:24 +0000 (+0000) Subject: avoid dereferencing a recently apr_pool_clear()'ed event_conn_state_t *cs X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59eea59c4be383d004e92fa63b57b995e7a8ef01;p=thirdparty%2Fapache%2Fhttpd.git avoid dereferencing a recently apr_pool_clear()'ed event_conn_state_t *cs in several paths where ptrans is being recycled at the end of a request. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1638879 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c index 2003977b638..692119ba156 100644 --- a/server/mpm/event/event.c +++ b/server/mpm/event/event.c @@ -852,6 +852,7 @@ static int start_lingering_close_common(event_conn_state_t *cs) rv = apr_pollset_add(event_pollset, &cs->pfd); apr_thread_mutex_unlock(timeout_mutex); if (rv != APR_SUCCESS && !APR_STATUS_IS_EEXIST(rv)) { + apr_pool_t *p = cs->p; ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf, "start_lingering_close: apr_pollset_add failure"); apr_thread_mutex_lock(timeout_mutex); @@ -859,7 +860,7 @@ static int start_lingering_close_common(event_conn_state_t *cs) apr_thread_mutex_unlock(timeout_mutex); apr_socket_close(cs->pfd.desc.s); apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); return 0; } return 1; @@ -876,8 +877,9 @@ static int start_lingering_close_common(event_conn_state_t *cs) static int start_lingering_close_blocking(event_conn_state_t *cs) { if (ap_start_lingering_close(cs->c)) { + apr_pool_t *p = cs->p; apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); return 0; } return start_lingering_close_common(cs); @@ -919,6 +921,7 @@ static int stop_lingering_close(event_conn_state_t *cs) { apr_status_t rv; apr_socket_t *csd = ap_get_conn_socket(cs->c); + apr_pool_t *p = cs->p; ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, ap_server_conf, "socket reached timeout in lingering-close state"); rv = apr_socket_close(csd); @@ -927,7 +930,7 @@ static int stop_lingering_close(event_conn_state_t *cs) AP_DEBUG_ASSERT(0); } apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); return 0; } @@ -1351,6 +1354,7 @@ static apr_status_t push2worker(const apr_pollfd_t * pfd, rc = ap_queue_push(worker_queue, cs->pfd.desc.s, cs, cs->p); if (rc != APR_SUCCESS) { + apr_pool_t *p = cs->p; /* trash the connection; we couldn't queue the connected * socket to a worker */ @@ -1359,7 +1363,7 @@ static apr_status_t push2worker(const apr_pollfd_t * pfd, ap_log_error(APLOG_MARK, APLOG_CRIT, rc, ap_server_conf, APLOGNO(00471) "push2worker: ap_queue_push failed"); apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); } return rc; @@ -1580,6 +1584,7 @@ static void process_lingering_close(event_conn_state_t *cs, const apr_pollfd_t * apr_size_t nbytes; apr_status_t rv; struct timeout_queue *q; + apr_pool_t *p = cs->p; q = (cs->pub.state == CONN_STATE_LINGER_SHORT) ? &short_linger_q : &linger_q; /* socket is already in non-blocking state */ @@ -1604,7 +1609,7 @@ static void process_lingering_close(event_conn_state_t *cs, const apr_pollfd_t * TO_QUEUE_ELEM_INIT(cs); apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); } /* call 'func' for all elements of 'q' with timeout less than 'timeout_time'.