Fix memory corruption problem with ap_custom_response() function.

The core per-dir config would later point to request pool data
that would be reused for different purposes on different requests.

Submitted by:	Will Lowe
Updated by:     Jeff Trawick
Reviewed by:	stoddard, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@103197 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index a36f32a076618a0a4ffcea9c72582bf7464c7828..2f2a4974d48fb7e2880b03faca0813b3361c1081 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 1.3 STATUS:                                             -*-text-*-
-  Last modified at [$Date: 2004/03/29 18:25:03 $]
+  Last modified at [$Date: 2004/03/29 18:35:29 $]
 
 Release:
 
@@ -50,14 +50,6 @@ RELEASE SHOWSTOPPERS:
   *  PR: 27023 Cookie could not delivered if the cookie made before
          proxy module.
 
-   * ap_custom_response memory corruption
-      discussion:
-       Message-ID: <4062E7F3.7010707@attglobal.net>
-       Subject: [1.3 PATCH] fix ap_custom_response() memory corruption issue
-      patch:
-       http://www.apache.org/~trawick/13_custom_response_patch
-        +1: trawick, stoddard, jim
-
 RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
 
    * isn't ap_die() broken with recognizing recursive errors

diff --git a/src/CHANGES b/src/CHANGES
index 73d8f497423d6dadeb6c187ada6a46399c3dbdbb..ca2471ed4e09ef21aae2b62aed148352d3fd7a45 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.30
 
+  *) Fix memory corruption problem with ap_custom_response() function.
+     The core per-dir config would later point to request pool data
+     that would be reused for different purposes on different requests.
+     [Will Lowe, Jeff Trawick]
+
   *) Reinit socket to allow mod_proxy to continue to try
      connections when invalid IPs are accessed. PR 27542.
      [Alexander Prohorenko <white extrasy.net>]

diff --git a/src/include/http_core.h b/src/include/http_core.h
index 5732202889386f9b377a2aa61a4f73807ebc0773..5e20bf7014d18b54bce1e5fd67904124d72106f3 100644 (file)
--- a/src/include/http_core.h
+++ b/src/include/http_core.h
@@ -209,7 +209,9 @@ typedef struct {
      * This lets us do quick merges in merge_core_dir_configs().
      */
   
-    char **response_code_strings;
+    char **response_code_strings; /* from ErrorDocument, not from
+                                   * ap_custom_response()
+                                   */
 
     /* Hostname resolution etc */
 #define HOSTNAME_LOOKUP_OFF    0

diff --git a/src/main/http_core.c b/src/main/http_core.c
index 9d2b94b577dfb54bc1d2947383ff1226978689ad..ddb090d6d302a88c025e6f1ba0cabdb45def9a7a 100644 (file)
--- a/src/main/http_core.c
+++ b/src/main/http_core.c
@@ -53,6 +53,15 @@
 #define MMAP_LIMIT              (4*1024*1024)
 #endif
 
+typedef struct {
+    /* Custom response strings registered via ap_custom_response(),
+     * or NULL; check per-dir config if nothing found here
+     */
+    char **response_code_strings; /* from ap_custom_response(), not from
+                                   * ErrorDocument
+                                   */
+} core_request_config;
+
 /* Server core module... This module provides support for really basic
  * server operations, including options and commands which control the
  * operation of other modules.  Consider this the bureaucracy module.
@@ -580,15 +589,30 @@ API_EXPORT(int) ap_satisfies(request_rec *r)
 
 API_EXPORT(char *) ap_response_code_string(request_rec *r, int error_index)
 {
-    core_dir_config *conf;
+    core_request_config *reqconf;
+    core_dir_config *dirconf;
 
-    conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
-                                                  &core_module); 
+    /* prefer per-request settings, which are created by calls to
+     * ap_custom_response()
+     */
+    reqconf = (core_request_config *)ap_get_module_config(r->request_config,
+                                                          &core_module); 
 
-    if (conf->response_code_strings == NULL) {
+    if (reqconf != NULL &&
+        reqconf->response_code_strings != NULL &&
+        reqconf->response_code_strings[error_index] != NULL) {
+        return reqconf->response_code_strings[error_index];
+    }
+
+    /* check for string specified via ErrorDocument */
+    dirconf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
+                                                      &core_module);
+
+    if (dirconf->response_code_strings == NULL) {
        return NULL;
     }
-    return conf->response_code_strings[error_index];
+
+    return dirconf->response_code_strings[error_index];
 }
 
 
@@ -1193,20 +1217,26 @@ static const char *set_document_root(cmd_parms *cmd, void *dummy, char *arg)
 
 API_EXPORT(void) ap_custom_response(request_rec *r, int status, char *string)
 {
-    core_dir_config *conf = 
-       ap_get_module_config(r->per_dir_config, &core_module);
+    core_request_config *reqconf =
+       ap_get_module_config(r->request_config, &core_module);
     int idx;
 
-    if(conf->response_code_strings == NULL) {
-        conf->response_code_strings = 
+    if (reqconf == NULL) {
+        reqconf = (core_request_config *)ap_pcalloc(r->pool,
+                                                    sizeof(core_request_config));
+        ap_set_module_config(r->request_config, &core_module, reqconf);
+    }
+    
+    if (reqconf->response_code_strings == NULL) {
+        reqconf->response_code_strings = 
            ap_pcalloc(r->pool,
-                   sizeof(*conf->response_code_strings) * 
-                   RESPONSE_CODES);
+                       sizeof(reqconf->response_code_strings) * 
+                       RESPONSE_CODES);
     }
 
     idx = ap_index_of_response(status);
 
-    conf->response_code_strings[idx] = 
+    reqconf->response_code_strings[idx] = 
        ((ap_is_url(string) || (*string == '/')) && (*string != '"')) ? 
        ap_pstrdup(r->pool, string) : ap_pstrcat(r->pool, "\"", string, NULL);
 }