Apache 2.4.4 will segfault if you have a log field containing the request's END time (LogFormat "... %{end:msec}t ...") and you send it an invalid request. Several 400-series errors seem to do the trick: - 404 not found - 400 bad request after sending a MOVE with no Destination: - 403 unauthorized The crash is completely repeatable. The crash is in get_request_end_time(). It successfully retrieves 'log_request_state *state' from the request record, but state is NULL, and Apache crashes when it tries to read state->request_end_time. Here's the backtrace: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 0x0000000100068d6d in get_request_end_time () (gdb) bt #0 0x0000000100068d6d in get_request_end_time () #1 0x0000000100068e9d in log_request_time () #2 0x0000000100069ea0 in process_item () #3 0x000000010006a188 in config_log_transaction () #4 0x000000010006a407 in multi_log_transaction () #5 0x000000010002aa45 in ap_run_log_transaction () #6 0x000000010003c60a in eor_bucket_cleanup () #7 0x0000000100465661 in run_cleanups () #8 0x00000001004644c5 in apr_pool_destroy () #9 0x000000010003c753 in eor_bucket_destroy () #10 0x000000010003ded0 in remove_empty_buckets () #11 0x000000010003de75 in send_brigade_nonblocking () #12 0x000000010003df4c in send_brigade_blocking () #13 0x000000010003d87a in ap_core_output_filter () #14 0x0000000100022153 in ap_pass_brigade () #15 0x000000010005b9a8 in ap_process_request () #16 0x000000010005744f in ap_process_http_sync_connection () #17 0x000000010005754a in ap_process_http_connection () #18 0x000000010001995a in ap_run_process_connection () #19 0x0000000100019e2b in ap_process_connection () #20 0x00000001000e24d8 in child_main () #21 0x00000001000e25e4 in make_child () #22 0x00000001000e2c5d in prefork_run () #23 0x000000010001c4d1 in ap_run_mpm () #24 0x000000010000d978 in main () (Actually I first hit this on SSL connections, so there were a few SSL-related stack frames in there, but turning off SSL and using plain HTTP does not affect the crash.)
Fixed for trunk in r1467765. Will propose for backport to 2.4.x. Could you please verify the patch? It is available at http://people.apache.org/~rjung/patches/httpd-2_4-request_end_time.patch or http://svn.apache.org/viewvc?view=revision&revision=r1467765 Thanks! Rainer
The patch applies cleanly to 2.4.4 and fixes the crash, at least for the causes I had isolated earlier. Thanks!
Fixed in 2.4.x in r1467981. Will be part of 2.4.5.
Fixed in v2.4.5.