In core_input_filter, check for an empty brigade after

APR_BRIGADE_NORMALIZE().  Otherwise, we can get segfaults if a
client says it will post some data but we get FIN before any
data arrives.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93262 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ea16d9337796450e585f62ee61411e5b74f56b24..67afb2ae3ffe0689b4a049b48009f8b05c3792ed 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.32-dev
 
+  *) In core_input_filter, check for an empty brigade after 
+     APR_BRIGADE_NORMALIZE().  Otherwise, we can get segfaults if a
+     client says it will post some data but we get FIN before any
+     data arrives.  [Jeff Trawick]
+
   *) Not being able to bind to the socket is a fatal error.  We should
      print an error to the console, and return a non-zero status code.
      With these changes, all of the Unix MPMs do that correctly.

diff --git a/server/core.c b/server/core.c
index 844900a361b90fd05f7795f0e7e8445e483a1c79..14c7654c049962a581ec70d7fa3092d2b5d0e3fa 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -3058,14 +3058,16 @@ static int core_input_filter(ap_filter_t *f, apr_bucket_brigade *b,
         APR_BRIGADE_INSERT_TAIL(ctx->b, e);
         net->in_ctx = ctx;
     }
-    else if (APR_BRIGADE_EMPTY(ctx->b)) {
-        /* hit EOF on socket already */
-        return APR_EOF;
-    }
 
     /* ### This is bad. */
     APR_BRIGADE_NORMALIZE(ctx->b);
 
+    /* check for empty brigade *AFTER* APR_BRIGADE_NORMALIZE() */
+    if (APR_BRIGADE_EMPTY(ctx->b)) {
+        /* hit EOF on socket already */
+        return APR_EOF;
+    }
+    
     /* ### AP_MODE_PEEK is a horrific name for this mode because we also
      * eat any CRLFs that we see.  That's not the obvious intention of
      * this mode.  Determine whether anyone actually uses this or not. */