From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 3 Dec 2021 15:34:16 +0000 (+0000)
Subject: Merge r1894171 from trunk:
X-Git-Tag: candidate-2.4.52-rc1~89
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41f5c02eaf1b52d8c9b13043934e31195e4532bf;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1894171 from trunk:

*) core: Be safe with ap_lingering_close() called with a socket NULL-ed.

PR 65627.

mod_itk seems to:
  ap_set_core_module_config(c->conn_config, NULL)
before calling ap_lingering_close(), causing a crash after r1891721.
Until we have an API to no-op ap_lingering_close(), let's be safe.

* server/connection.c(ap_start_lingering_close):
  The socket should not be NULL here, add an assertion.

* server/connection.c(ap_lingering_close):
  Set c->aborted if the socket is NULL, and give up.


Submitted by: acmondor <bz.apache.org acmondor.ca>, ylavic
Reviewed by: ylavic, icing, rpluem
Github: closes #277


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895555 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 96cb925b779..6bbe0383ec1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.52
 
+  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
+     a third-party module.  PR 65627.
+     [acmondor <bz.apache.org acmondor.ca>, Yann Ylavic]
+
   *) mod_md: Fix memory leak in case of failures to load the private key.
      PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
 
diff --git a/server/connection.c b/server/connection.c
index 03ecd90107c..bbc94c43cc3 100644
--- a/server/connection.c
+++ b/server/connection.c
@@ -122,9 +122,7 @@ AP_DECLARE(int) ap_start_lingering_close(conn_rec *c)
 {
     apr_socket_t *csd = ap_get_conn_socket(c);
 
-    if (!csd) {
-        return 1;
-    }
+    ap_assert(csd != NULL);
 
     if (ap_prep_lingering_close(c)) {
         return 1;
@@ -155,6 +153,15 @@ AP_DECLARE(void) ap_lingering_close(conn_rec *c)
     apr_time_t now, timeup = 0;
     apr_socket_t *csd = ap_get_conn_socket(c);
 
+    if (!csd) {
+        /* Be safe with third-party modules that:
+         *   ap_set_core_module_config(c->conn_config, NULL)
+         * to no-op ap_lingering_close().
+         */
+        c->aborted = 1;
+        return;
+    }
+
     if (ap_start_lingering_close(c)) {
         apr_socket_close(csd);
         return;