From: Jeff Trawick Date: Mon, 29 Mar 2004 18:35:29 +0000 (+0000) Subject: Fix memory corruption problem with ap_custom_response() function. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88dd52f52c472dda5ebb6816da06322c650d81bc;p=thirdparty%2Fapache%2Fhttpd.git Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. Submitted by: Will Lowe Updated by: Jeff Trawick Reviewed by: stoddard, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@103197 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index a36f32a0766..2f2a4974d48 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 1.3 STATUS: -*-text-*- - Last modified at [$Date: 2004/03/29 18:25:03 $] + Last modified at [$Date: 2004/03/29 18:35:29 $] Release: @@ -50,14 +50,6 @@ RELEASE SHOWSTOPPERS: * PR: 27023 Cookie could not delivered if the cookie made before proxy module. - * ap_custom_response memory corruption - discussion: - Message-ID: <4062E7F3.7010707@attglobal.net> - Subject: [1.3 PATCH] fix ap_custom_response() memory corruption issue - patch: - http://www.apache.org/~trawick/13_custom_response_patch - +1: trawick, stoddard, jim - RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP: * isn't ap_die() broken with recognizing recursive errors diff --git a/src/CHANGES b/src/CHANGES index 73d8f497423..ca2471ed4e0 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,10 @@ Changes with Apache 1.3.30 + *) Fix memory corruption problem with ap_custom_response() function. + The core per-dir config would later point to request pool data + that would be reused for different purposes on different requests. + [Will Lowe, Jeff Trawick] + *) Reinit socket to allow mod_proxy to continue to try connections when invalid IPs are accessed. PR 27542. [Alexander Prohorenko ] diff --git a/src/include/http_core.h b/src/include/http_core.h index 57322028893..5e20bf7014d 100644 --- a/src/include/http_core.h +++ b/src/include/http_core.h @@ -209,7 +209,9 @@ typedef struct { * This lets us do quick merges in merge_core_dir_configs(). */ - char **response_code_strings; + char **response_code_strings; /* from ErrorDocument, not from + * ap_custom_response() + */ /* Hostname resolution etc */ #define HOSTNAME_LOOKUP_OFF 0 diff --git a/src/main/http_core.c b/src/main/http_core.c index 9d2b94b577d..ddb090d6d30 100644 --- a/src/main/http_core.c +++ b/src/main/http_core.c @@ -53,6 +53,15 @@ #define MMAP_LIMIT (4*1024*1024) #endif +typedef struct { + /* Custom response strings registered via ap_custom_response(), + * or NULL; check per-dir config if nothing found here + */ + char **response_code_strings; /* from ap_custom_response(), not from + * ErrorDocument + */ +} core_request_config; + /* Server core module... This module provides support for really basic * server operations, including options and commands which control the * operation of other modules. Consider this the bureaucracy module. @@ -580,15 +589,30 @@ API_EXPORT(int) ap_satisfies(request_rec *r) API_EXPORT(char *) ap_response_code_string(request_rec *r, int error_index) { - core_dir_config *conf; + core_request_config *reqconf; + core_dir_config *dirconf; - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); + /* prefer per-request settings, which are created by calls to + * ap_custom_response() + */ + reqconf = (core_request_config *)ap_get_module_config(r->request_config, + &core_module); - if (conf->response_code_strings == NULL) { + if (reqconf != NULL && + reqconf->response_code_strings != NULL && + reqconf->response_code_strings[error_index] != NULL) { + return reqconf->response_code_strings[error_index]; + } + + /* check for string specified via ErrorDocument */ + dirconf = (core_dir_config *)ap_get_module_config(r->per_dir_config, + &core_module); + + if (dirconf->response_code_strings == NULL) { return NULL; } - return conf->response_code_strings[error_index]; + + return dirconf->response_code_strings[error_index]; } @@ -1193,20 +1217,26 @@ static const char *set_document_root(cmd_parms *cmd, void *dummy, char *arg) API_EXPORT(void) ap_custom_response(request_rec *r, int status, char *string) { - core_dir_config *conf = - ap_get_module_config(r->per_dir_config, &core_module); + core_request_config *reqconf = + ap_get_module_config(r->request_config, &core_module); int idx; - if(conf->response_code_strings == NULL) { - conf->response_code_strings = + if (reqconf == NULL) { + reqconf = (core_request_config *)ap_pcalloc(r->pool, + sizeof(core_request_config)); + ap_set_module_config(r->request_config, &core_module, reqconf); + } + + if (reqconf->response_code_strings == NULL) { + reqconf->response_code_strings = ap_pcalloc(r->pool, - sizeof(*conf->response_code_strings) * - RESPONSE_CODES); + sizeof(reqconf->response_code_strings) * + RESPONSE_CODES); } idx = ap_index_of_response(status); - conf->response_code_strings[idx] = + reqconf->response_code_strings[idx] = ((ap_is_url(string) || (*string == '/')) && (*string != '"')) ? ap_pstrdup(r->pool, string) : ap_pstrcat(r->pool, "\"", string, NULL); }