Bug 57328 - Invalid memory access on ap_server_config_defines
Summary: Invalid memory access on ap_server_config_defines
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.10
Hardware: All Linux
: P2 critical (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
: 56008 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-12-08 11:16 UTC by Armin Abfalterer
Modified: 2015-01-23 08:10 UTC (History)
2 users (show)



Attachments
Patch to dump elements of ap_server_config_defines after a graceful restart, includes also fix for the problem (658 bytes, patch)
2014-12-08 11:16 UTC, Armin Abfalterer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Armin Abfalterer 2014-12-08 11:16:20 UTC
Created attachment 32268 [details]
Patch to dump elements of ap_server_config_defines after a graceful restart, includes also fix for the problem

== Reproduction ==

1) Find attached a patch for server/core.c that dumps the elements of ap_server_config_defines after a graceful restart.

2) Define some variables in httpd.conf, e.g.

Define arg1=val1
Define arg2=val2
Define arg3=val4

3) By doing some graceful restarts (5-10 times), the increasing number of array elements with invalid memory references can be observerd. The problem can be reproduced each time.

== Explanation ==

After a graceful restart, the reset_config_defines() function in server/core.c resets ap_server_config_defines back to its original pointer saved_server_config_defines. Henceforth, variable definitions (by means of Define) are stored in the original array, and thus, leading to invalid memory access upon next graceful restarts.

== Solution == 
A fix to the problem can be found in the provided patch file and be enabled by setting the macro constant WITH_FIX to 1.

Regards, Armin
Comment 1 Yann Ylavic 2014-12-08 14:35:43 UTC
Committed in r1643825.

I first misread your patch and started working on a much more complicated one, until I realized yours was the minimal/only change needed.

Thanks for the analysis and patch Armin, will propose it for 2.4.x.
Comment 2 Yann Ylavic 2014-12-08 14:39:06 UTC
*** Bug 56008 has been marked as a duplicate of this bug. ***
Comment 3 Yann Ylavic 2015-01-23 08:10:03 UTC
Backported to 2.4.11 (unreleased) in r1651083, available in upcoming 2.4.12.