Summary: | allocator_free() crashes because of NULL-Pointer inside SSL_smart_shutdown() | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Christian Rang <cra> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | CLOSED DUPLICATE | ||
Severity: | critical | ||
Priority: | P3 | ||
Version: | 2.0.49 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All |
Description
Christian Rang
2004-06-19 20:41:11 UTC
Just found out that active->next ist set to NULL in the line just before the allocator_free() call at the end of apr_pool_clear(): ----------------------------- snip ----------------------------- if (active->next == active) /* apr_pools.c, line 709 */ return; *active->ref = NULL; allocator_free(pool->allocator, active->next); ----------------------------- snip ----------------------------- The '*active->ref = NULL;' statement sets active->next to NULL. It was *NOT* NULL before that statement. Obviously, 'active->ref' pointed to the *own* 'next' field. New Info: I am reproducing the error using MS IE 6.0 on a SSL page containing a number of images that are loaded via SSL, too. Nearly every time I refresh the page, the error occurs. However, when I remove the images from the page, so only the main HTML is loaded and no second connection is used by IE, the error does *not* occur anymore. I first thought it has something to do with the multithreading, but how I think that the whole thing is cause by IE aborting connections because I can reproduce the error even w/o images just by hitting ESC before the page loads - the connection is aborted, mod_ssl is shutting down the socket (SSL_Shutdown, ssl3_send_alert...) and this causes the error. P.S. I forgot: Previously, the page was generated by a Tomcat. However, the error appears also when directly putting the page in Apache's htdocs, so it has nothing to do with Tomcat. However, the error appears less often, I have to hit F5 (reload) in IE several times before it appears. Possible workaround found: Make SSL shutdown a quiet one. Changed ssl_util_ssl.c, added 'ssl->quiet_shutdown = 1;' before OpenSSL's SSL_shutdown() is called: int SSL_smart_shutdown(SSL *ssl) { int i; int rc; /* * Repeat the calls, because SSL_shutdown internally dispatches through a * little state machine. Usually only one or two interation should be * needed, so we restrict the total number of restrictions in order to * avoid process hangs in case the client played bad with the socket * connection and OpenSSL cannot recognize it. */ rc = 0; ssl->quiet_shutdown = 1; for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) { if ((rc = SSL_shutdown(ssl))) break; } return rc; } This removes the error completely, however I am not 100% sure about security issues (when does the client not get an abort notification, and when is that dangerous?) I am sorry - it's me again ;-) But this problem doesn't want to let me go... In apr_pool_clear(), the following is done: 1. Destroy the subpools - *first* 2. Run cleanups 3. Free subprocesses Could it be that the cleanups do something wrong when they allocate memory (and the SSL shutdown *does*!!) and the subpools are already destroyed? When I change this to: 1. Run cleanups 2. Free subprocesses 3. Destroy the subpools - *last* Everything works fine (w/o my previous quiet_shutdown workaround!). Question: Is this ok, or does it maybe produce memory leaks? I admit that I still don't fully understand the pool concept :-) BTW: The same questions apply to the apr_pool_destroy() function which does the same three steps for the sub-pools. Good analysis :) The problem is a misuse of pool cleanups, see patch on the other bug. *** This bug has been marked as a duplicate of 27945 *** Thank you! I will search the database more thoroughly @ the next bug ;-) |