From: Graham Leggett <minfrin@apache.org>
Date: Mon, 20 Nov 2023 13:17:25 +0000 (+0000)
Subject: Backport to v2.4:
X-Git-Tag: 2.4.59-rc1-candidate~121
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fe3cc79d1bcb4a20a0c56853d82e85c8a88b8f5;p=thirdparty%2Fapache%2Fhttpd.git

Backport to v2.4:

   *) core: Fix use after free warning with gcc -fanalyzer.
      trunk patch: http://svn.apache.org/r1892413
      2.4.x patch: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-use-after-free.patch
      +1: minfrin, ylavic, jorton



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913983 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 2c29c9c8fe7..f08b6e0b72c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.59
 
+  *) core: Fix use after free warning with gcc -fanalyzer. [Joe Orton]
+
   *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
      operation which removes a directory/file between apr_dir_read() and
      apr_stat(). Current behaviour is to abort the connection which seems
diff --git a/STATUS b/STATUS
index adfe8452106..2b63a059fe4 100644
--- a/STATUS
+++ b/STATUS
@@ -153,10 +153,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) core: Fix use after free warning with gcc -fanalyzer.
-      trunk patch: http://svn.apache.org/r1892413
-      2.4.x patch: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-use-after-free.patch
-      +1: minfrin, ylavic, jorton
 
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
diff --git a/server/mpm_unix.c b/server/mpm_unix.c
index 8c4d233792d..ed4555ad0b4 100644
--- a/server/mpm_unix.c
+++ b/server/mpm_unix.c
@@ -259,10 +259,12 @@ AP_DECLARE(void) ap_reclaim_child_processes(int terminate,
         while (cur_extra) {
             ap_generation_t old_gen;
             extra_process_t *next = cur_extra->next;
+            pid_t pid = cur_extra->pid;
 
-            if (reclaim_one_pid(cur_extra->pid, action_table[cur_action].action)) {
-                if (ap_unregister_extra_mpm_process(cur_extra->pid, &old_gen) == 1) {
-                    mpm_callback(-1, cur_extra->pid, old_gen);
+            if (reclaim_one_pid(pid, action_table[cur_action].action)) {
+                if (ap_unregister_extra_mpm_process(pid, &old_gen) == 1) {
+                    /* cur_extra dangling pointer from here. */
+                    mpm_callback(-1, pid, old_gen);
                 }
                 else {
                     AP_DEBUG_ASSERT(1 == 0);
@@ -307,10 +309,12 @@ AP_DECLARE(void) ap_relieve_child_processes(ap_reclaim_callback_fn_t *mpm_callba
     while (cur_extra) {
         ap_generation_t old_gen;
         extra_process_t *next = cur_extra->next;
+        pid_t pid = cur_extra->pid;
 
-        if (reclaim_one_pid(cur_extra->pid, DO_NOTHING)) {
-            if (ap_unregister_extra_mpm_process(cur_extra->pid, &old_gen) == 1) {
-                mpm_callback(-1, cur_extra->pid, old_gen);
+        if (reclaim_one_pid(pid, DO_NOTHING)) {
+            if (ap_unregister_extra_mpm_process(pid, &old_gen) == 1) {
+                /* cur_extra dangling pointer from here. */
+                mpm_callback(-1, pid, old_gen);
             }
             else {
                 AP_DEBUG_ASSERT(1 == 0);