From ee3ff1a4a087f2019d647aa348f0207d1dbe0a7c Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Sat, 8 Oct 2005 00:10:02 +0000 Subject: [PATCH] use Greg's cleaner fix for CAN-2005-2970 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@307221 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 2 +- server/mpm/worker/worker.c | 22 +++++++++------------- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index cc6e5050338..e2ca27187d7 100644 --- a/CHANGES +++ b/CHANGES @@ -47,7 +47,7 @@ Changes with Apache 2.1.9 *) SECURITY: CAN-2005-2970 (cve.mitre.org) worker MPM: Fix a memory leak which can occur after an aborted - connection in some limited circumstances. [Greg Ames, Jeff Trawick] + connection in some limited circumstances. [Greg Ames] *) Doxygen fixup [Neale Ranns , Ian Holsman] diff --git a/server/mpm/worker/worker.c b/server/mpm/worker/worker.c index 53db4b24f20..1f46ea683d0 100644 --- a/server/mpm/worker/worker.c +++ b/server/mpm/worker/worker.c @@ -583,8 +583,7 @@ static void *listener_thread(apr_thread_t *thd, void * dummy) int process_slot = ti->pid; apr_pool_t *tpool = apr_thread_pool_get(thd); void *csd = NULL; - apr_pool_t *ptrans; /* Pool for per-transaction stuff */ - apr_pool_t *recycled_pool = NULL; + apr_pool_t *ptrans = NULL; /* Pool for per-transaction stuff */ apr_pollset_t *pollset; apr_status_t rv; ap_listen_rec *lr; @@ -624,8 +623,11 @@ static void *listener_thread(apr_thread_t *thd, void * dummy) if (listener_may_exit) break; if (!have_idle_worker) { + /* the following pops a recycled ptrans pool off a stack + * if there is one, in addition to reserving a worker thread + */ rv = ap_queue_info_wait_for_idler(worker_queue_info, - &recycled_pool); + &ptrans); if (APR_STATUS_IS_EOF(rv)) { break; /* we've been signaled to die now */ } @@ -713,8 +715,9 @@ static void *listener_thread(apr_thread_t *thd, void * dummy) } /* if/else */ if (!listener_may_exit) { - /* create a new transaction pool for each accepted socket */ - if (recycled_pool == NULL) { + if (ptrans == NULL) { + /* we can't use a recycled transaction pool this time. + * create a new transaction pool */ apr_allocator_t *allocator; apr_allocator_create(&allocator); @@ -722,10 +725,6 @@ static void *listener_thread(apr_thread_t *thd, void * dummy) apr_pool_create_ex(&ptrans, pconf, NULL, allocator); apr_allocator_owner_set(allocator, ptrans); } - else { - ptrans = recycled_pool; - recycled_pool = NULL; - } apr_pool_tag(ptrans, "transaction"); rv = lr->accept_func(&csd, lr, ptrans); /* later we trash rv and rely on csd to indicate success/failure */ @@ -761,15 +760,11 @@ static void *listener_thread(apr_thread_t *thd, void * dummy) apr_socket_close(csd); ap_log_error(APLOG_MARK, APLOG_CRIT, rv, ap_server_conf, "ap_queue_push failed"); - recycled_pool = ptrans; } else { have_idle_worker = 0; } } - else { - recycled_pool = ptrans; - } } else { if ((rv = SAFE_ACCEPT(apr_proc_mutex_unlock(accept_mutex))) @@ -823,6 +818,7 @@ static void * APR_THREAD_FUNC worker_thread(apr_thread_t *thd, void * dummy) free(ti); ap_scoreboard_image->servers[process_slot][thread_slot].pid = ap_my_pid; + ap_scoreboard_image->servers[process_slot][thread_slot].tid = apr_os_thread_current(); ap_scoreboard_image->servers[process_slot][thread_slot].generation = ap_my_generation; ap_update_child_status_from_indexes(process_slot, thread_slot, SERVER_STARTING, NULL); -- 2.47.2