From: Bill Stoddard Date: Thu, 25 Mar 2004 02:07:28 +0000 (+0000) Subject: Fix memory corruption problem with ap_custom_response() function. X-Git-Tag: 2.0.50~291 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=933fc4375b9e598a9cdf46b78e0459f4eec7a20c;p=thirdparty%2Fapache%2Fhttpd.git Fix memory corruption problem with ap_custom_response() function. The core per-dir config would later point to request pool data that would be reused for different purposes on different requests. This is based on an old 1.3 patch submitted by Will Lowe. It needs a minor tweak before committing to 1.3, but he had it pretty darn close. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@103141 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index ff8f26f213a..d2616dea585 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2004/03/25 00:15:21 $] +Last modified at [$Date: 2004/03/25 02:07:27 $] Release: @@ -101,13 +101,6 @@ PATCHES TO BACKPORT FROM 2.1 server/listen.c: r1.101 +1: trawick, stoddard, rederpj - *) Fix memory corruption problem with ap_custom_response() - function. This turns Apache + a popular third-party module - into a crash-a-matic :( - include/http_core.h: r1.82 - server/core.c: r1.268 - +1: trawick, stoddard, rederpj - *) Limit the concurrency in 'ab' to MAX_CONCURRENCY to prevent a segmentation fault. support/ab.c: r1.140, r1.141 diff --git a/include/http_core.h b/include/http_core.h index dc51aa97b2f..2e8fb472bcc 100644 --- a/include/http_core.h +++ b/include/http_core.h @@ -324,6 +324,13 @@ typedef struct { * won't actually be delivered as the response for the non-GET method. */ int deliver_script; + + /* Custom response strings registered via ap_custom_response(), + * or NULL; check per-dir config if nothing found here + */ + char **response_code_strings; /* from ap_custom_response(), not from + * ErrorDocument + */ } core_request_config; /* Standard entries that are guaranteed to be accessible via @@ -426,7 +433,8 @@ typedef struct { * This lets us do quick merges in merge_core_dir_configs(). */ - char **response_code_strings; + char **response_code_strings; /* from ErrorDocument, not from + * ap_custom_response() */ /* Hostname resolution etc */ #define HOSTNAME_LOOKUP_OFF 0 diff --git a/server/core.c b/server/core.c index dba35dd4742..fb0aac79932 100644 --- a/server/core.c +++ b/server/core.c @@ -678,16 +678,26 @@ AP_DECLARE(int) ap_satisfies(request_rec *r) char *ap_response_code_string(request_rec *r, int error_index) { - core_dir_config *conf; + core_dir_config *dirconf; + core_request_config *reqconf; - conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, - &core_module); + /* check for string registered via ap_custom_response() first */ + reqconf = (core_request_config *)ap_get_module_config(r->request_config, + &core_module); + if (reqconf->response_code_strings != NULL && + reqconf->response_code_strings[error_index] != NULL) { + return reqconf->response_code_strings[error_index]; + } - if (conf->response_code_strings == NULL) { - return NULL; + /* check for string specified via ErrorDocument */ + dirconf = (core_dir_config *)ap_get_module_config(r->per_dir_config, + &core_module); + + if (dirconf->response_code_strings == NULL) { + return NULL; } - return conf->response_code_strings[error_index]; + return dirconf->response_code_strings[error_index]; } @@ -1100,11 +1110,11 @@ static const char *set_document_root(cmd_parms *cmd, void *dummy, AP_DECLARE(void) ap_custom_response(request_rec *r, int status, const char *string) { - core_dir_config *conf = - ap_get_module_config(r->per_dir_config, &core_module); + core_request_config *conf = + ap_get_module_config(r->request_config, &core_module); int idx; - if(conf->response_code_strings == NULL) { + if (conf->response_code_strings == NULL) { conf->response_code_strings = apr_pcalloc(r->pool, sizeof(*conf->response_code_strings) * RESPONSE_CODES);