| Summary: | Memory violations in 'ssl_io_filter_cleanup(..)' crashes the server | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | keilh <hartmut.keil> |
| Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | critical | CC: | cra, guilhermeassad, mark, roger, sanry |
| Priority: | P3 | ||
| Version: | 2.0.49 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | other | ||
Thanks for the report. Something similar to (a) was checked in already: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.121&r2=1.122 *** Bug 28577 has been marked as a duplicate of this bug. *** *** Bug 29073 has been marked as a duplicate of this bug. *** *** Bug 28512 has been marked as a duplicate of this bug. *** *** Bug 29690 has been marked as a duplicate of this bug. *** *** Bug 29788 has been marked as a duplicate of this bug. *** |
Situation/Reproducing: A client is sending a request over SSL. Before the first byte of the response is writen the client is closing the connection (stop button pressed). (error_log: [info] (32)Broken pipe: core_output_filter: writing data to the network) If in that situation the 'ssl_io_filter_cleanup' handler will be invoked, he is trying to send a SSL shutdown message. By that a memory violations occurs. See the following stack: dummy_worker(opaque = 0x170fc0) worker_thread(thd = 0x170fc0, dummy = 0x1b1110) apr_pool_clear(pool = 0x255cc0) run_cleanups(cref = 0x255cd0) ssl_io_filter_cleanup(data = 0x256148) ssl_filter_io_shutdown(filter_ctx = 0x256148, c = 0x255de8, abortive = 0) SSL_smart_shutdown(ssl = 0x279268) ssl3_shutdown(0x279268, 0x0, 0xfe3562e0, 0xfdbf8000, 0xfffffff8, 0x274b50) ssl3_send_alert(0x279268, 0x279ba8, 0x1, 0x3, 0x0, 0x2) ssl3_write_pending(0x279268, 0x15, 0x15, 0x2, 0x0, 0x279cf4) BIO_write(0x260070, 0x27f790, 0x17, 0xff33ac84, 0xff1f655c, 0x0) bio_filter_out_write(bio = 0x260070, in = 0x27f790 "^U^C^A", inl = 23) bio_filter_out_flush(bio = 0x260070) ap_pass_brigade(next = 0x25c118, bb = 0x25f098) core_output_filter(f = 0x25c118, b = 0x260108) apr_pool_clear(pool = 0x2600d0) allocator_free(allocator = 0x1b3e50, node = (nil)) <-!!!!!!!!! Fixes: There are two possible fixes: a) Point fix in ssl_io_filter_cleanup: Free only the SSL struct, but do not send any SSL shutdown. b) Generel fix in allocator_free: Check if the parameter 'apr_memnode_t *node' is NULL Patches: a) Index: modules/ssl/ssl_engine_io.c =================================================================== RCS file: /opt/projects/CVSROOT/navajo/src/org/apache/httpd-2.X/modules/ssl/ssl_engine_io.c,v retrieving revision 1.8 diff -r1.8 ssl_engine_io.c 1080,1084c1080,1081 < c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl); < if ((ret = ssl_filter_io_shutdown(filter_ctx, c, 0)) != APR_SUCCESS) { < ap_log_error(APLOG_MARK, APLOG_INFO, ret, NULL, < "SSL filter error shutting down I/O"); < } --- > SSL_free(filter_ctx->pssl); > filter_ctx->pssl = NULL; 1086c1083 < return ret; --- > return APR_SUCCESS; b) Index: srclib/apr/memory/unix/apr_pools.c =================================================================== RCS file: /opt/projects/CVSROOT/navajo/src/org/apache/httpd-2.X/srclib/apr/memory/unix/apr_pools.c,v retrieving revision 1.3 diff -r1.3 apr_pools.c 309a310,312 > if(!node) > return; >