Commit e75abb77 authored by Cliff Woolley's avatar Cliff Woolley
Browse files

Fix a double-free condition when byterange requests are made on brigades 

containing any bucket that cannot be copied natively (ie, pipe or socket
buckets).

Before, we were reading that bucket to morph it to a heap bucket and then
taking the str that heap bucket points to and placing it in a second,
completely separate heap bucket.  That means we'd have two apr_bucket/
apr_bucket_heap pairs each with a refcount of 1 (rather than two apr_buckets
and a single apr_bucket_heap with a refcount of 2).  str would then be
doubly-freed when the second of those two buckets was destroyed.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90648 13f79535-47bb-0310-9956-ffa450edef68
parent f2353e13

modules/http/http_protocol.c

+6 −1
Original line number Diff line number Diff line
@@ -2468,8 +2468,13 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_byterange_filter( 
            apr_size_t len;



            if (apr_bucket_copy(ec, &foo) != APR_SUCCESS) {

                /* we assume here that if copy failed we can morph

                 * the bucket into a copyable one by reading it... normally

                 * copy won't return anything but APR_SUCCESS or APR_ENOTIMPL

                 */

                /* XXX: check for failure? */

                apr_bucket_read(ec, &str, &len, APR_BLOCK_READ);

                foo = apr_bucket_heap_create(str, len, 0, NULL);

                apr_bucket_copy(ec, &foo);

            }

            APR_BRIGADE_INSERT_TAIL(bsend, foo);

            ec = APR_BUCKET_NEXT(ec);