Bug 35862

Summary: Tomcat Connector:JK/AJP: JK Status Worker accesses freed memory for NSAPI plugin
Product: Tomcat Connectors Reporter: Brian Kavanagh <brian.kavanagh>
Component: CommonAssignee: Tomcat Developers Mailing List <dev>
Severity: minor    
Priority: P3    
Version: unspecified   
Target Milestone: ---   
Hardware: Sun   
OS: Solaris   
Attachments: patched jk_nsapi_plugin.c

Description Brian Kavanagh 2005-07-26 09:30:11 UTC
For release 1.2.13 of jakarta-tomcat-connectors:

Problem 1: the NSAPI plugin under <root>/jk/native/netscape/jk_nsapi_plugin.c 
frees() the initial workers map structure, init_map, at the end of the jk_init
(...) function.  As the jk_status.c worker uses the list of workers stored 
within this structure, when the jk_status worker is used by the NSAPI plugin, 
it attempts to read freed memory.

Problem 2: the NSAPI plugin under <root>/jk/native/netscape/jk_nsapi_plugin.c 
does not use the uri_to_worker map within the jk_worker_env_t structure (as 
this is done inside the netscape configuration files), however, the jk_status 
worker attempts to access the (uw_map) attached to the current jk_ws_service 
without a null check, thus causing the jk_status worker to attempt to 
dereference a null pointer.

Attached is a diff output of the changes between the jk_nsapi_plugin.c supplied 
within the jakarta-tomcat-connectors-1.2.13-src package, and a modified version 
of this file which fixes this problem by adding a uri_to_worker map, and having 
a static init_map structure:

< static jk_map_t *init_map = NULL;
< static jk_uri_worker_map_t *uw_map = NULL;
<     init_map = (jk_map_t *)init_d;
>     jk_map_t *init_map = (jk_map_t *)init_d;
<         if (uri_worker_map_alloc(&uw_map, NULL, logger)) {
<             uw_map->fname = "";
<             worker_env.uri_to_worker = uw_map;
<             init_on_other_thread_is_ok = JK_TRUE;
<         }
<         else {
<             jk_log(logger, JK_LOG_EMERG,
<                    "In init_workers_on_other_threads, failed");
<         }
>         init_on_other_thread_is_ok = JK_TRUE;
>     jk_map_t *init_map;
>         jk_map_free(&init_map);
<     if (uw_map) {
<         uri_worker_map_free(&uw_map, logger);
<     }
<     if (init_map) {
<         jk_map_free(&init_map);
<     }
<     s->uw_map = uw_map;
Comment 1 Brian Kavanagh 2005-07-26 09:38:14 UTC
Created attachment 15776 [details]
patched jk_nsapi_plugin.c
Comment 2 Mark Thomas 2005-12-21 23:38:03 UTC
Patch committed and will be included in jk 1.2.16 onwards. Thanks for the patch.