From: Yann Ylavic Date: Tue, 12 Oct 2021 16:48:18 +0000 (+0000) Subject: *) core: Be safe with ap_lingering_close() called with a socket NULL-ed. X-Git-Tag: 2.5.0-alpha2-ci-test-only~750 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59b7c104ce06c90be20ff50435d912a444341245;p=thirdparty%2Fapache%2Fhttpd.git *) core: Be safe with ap_lingering_close() called with a socket NULL-ed. PR 65627. mod_itk seems to: ap_set_core_module_config(c->conn_config, NULL) before calling ap_lingering_close(), causing a crash after r1891721. Until we have an API to no-op ap_lingering_close(), let's be safe. * server/connection.c(ap_start_lingering_close): The socket should not be NULL here, add an assertion. * server/connection.c(ap_lingering_close): Set c->aborted if the socket is NULL, and give up. Submitted by: acmondor , ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1894171 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/changes-entries/ap_lingering_close-NULL.txt b/changes-entries/ap_lingering_close-NULL.txt new file mode 100644 index 00000000000..43cc6930b56 --- /dev/null +++ b/changes-entries/ap_lingering_close-NULL.txt @@ -0,0 +1,3 @@ + *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by + a third-party module. PR 65627. + [acmondor , Yann Ylavic] diff --git a/server/connection.c b/server/connection.c index f89ac553c60..a7a51cf7414 100644 --- a/server/connection.c +++ b/server/connection.c @@ -145,9 +145,7 @@ AP_DECLARE(int) ap_start_lingering_close(conn_rec *c) { apr_socket_t *csd = ap_get_conn_socket(c); - if (!csd) { - return 1; - } + ap_assert(csd != NULL); if (ap_prep_lingering_close(c)) { return 1; @@ -178,6 +176,15 @@ AP_DECLARE(void) ap_lingering_close(conn_rec *c) apr_time_t now, timeup = 0; apr_socket_t *csd = ap_get_conn_socket(c); + if (!csd) { + /* Be safe with third-party modules that: + * ap_set_core_module_config(c->conn_config, NULL) + * to no-op ap_lingering_close(). + */ + c->aborted = 1; + return; + } + if (ap_start_lingering_close(c)) { apr_socket_close(csd); return;