Bug 35924 - ISAPI redirector accesses freed memory
Summary: ISAPI redirector accesses freed memory
Status: RESOLVED DUPLICATE of bug 35864
Alias: None
Product: Tomcat Connectors
Classification: Unclassified
Component: Common (show other bugs)
Version: unspecified
Hardware: PC Windows XP
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2005-07-29 06:19 UTC by Tim Whittington
Modified: 2008-10-05 03:09 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Whittington 2005-07-29 06:19:51 UTC
In init_jk of iis/jk_isapi_plugin.c, the worker_env is constructed from a map
allocated in that function, which is subsequently freed before init_jk exits.

The worker names (and some other strings) are copied from the map into the
worker_env, and subsequently into the worker structs themselves.

Later, when the worker name is accessed, freed memory is accessed and bogus data
is used. e.g. p->worker->name in ajp_done in jk_ajp_common.c

Mercifully, the fields concerned seem only to be used in debug logging
statements, so this hasn't caused any crashes - even in debug mode all you see
is a stream of ÝÝÝÝÝÝÝÝ characters.
mod_jk may avoid this issue, as the config map is passed from Apache to the
module, and is presumably kept around, although I haven't tested that theory.
Comment 1 Mladen Turk 2005-09-12 16:11:39 UTC

*** This bug has been marked as a duplicate of 35864 ***