Fix a double-free condition when byterange requests are made on brigades

containing any bucket that cannot be copied natively (ie, pipe or socket
buckets).

Before, we were reading that bucket to morph it to a heap bucket and then
taking the str that heap bucket points to and placing it in a second,
completely separate heap bucket.  That means we'd have two apr_bucket/
apr_bucket_heap pairs each with a refcount of 1 (rather than two apr_buckets
and a single apr_bucket_heap with a refcount of 2).  str would then be
doubly-freed when the second of those two buckets was destroyed.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90648 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 635c52eaaa4d0a0b71e246ba545c1a410c6e5b54..0229296906efb7ea42123525c93516780d6eeaaf 100644 (file)
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -2468,8 +2468,13 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_byterange_filter(
             apr_size_t len;
 
             if (apr_bucket_copy(ec, &foo) != APR_SUCCESS) {
+                /* we assume here that if copy failed we can morph
+                 * the bucket into a copyable one by reading it... normally
+                 * copy won't return anything but APR_SUCCESS or APR_ENOTIMPL
+                 */
+                /* XXX: check for failure? */
                 apr_bucket_read(ec, &str, &len, APR_BLOCK_READ);
-                foo = apr_bucket_heap_create(str, len, 0, NULL);
+                apr_bucket_copy(ec, &foo);
             }
             APR_BRIGADE_INSERT_TAIL(bsend, foo);
             ec = APR_BUCKET_NEXT(ec);