SECURITY: CAN-2005-2970 (cve.mitre.org)

worker MPM: Fix a memory leak which can occur after an aborted
connection in some limited circumstances.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@292809 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 2b2e4818c7d63631dea3dd8c5079f6b56bca493d..9a63420defdd0ed13017447b82494c05dc533526 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) SECURITY: CAN-2005-2970 (cve.mitre.org)
+     worker MPM: Fix a memory leak which can occur after an aborted
+     connection in some limited circumstances.  [Greg Ames, Jeff Trawick]
+
   *) Move mod_dbd to /modules/database/ (Nick Kew)
 
   *) Move mod_filter and mod_charset_lite to /modules/filters/ (Nick Kew)

diff --git a/server/mpm/worker/worker.c b/server/mpm/worker/worker.c
index 4594e67c3e00e0a37a893cefb0f11700167da6e0..53db4b24f20e01bd79cd3ecb884e0678ec3f48fa 100644 (file)
--- a/server/mpm/worker/worker.c
+++ b/server/mpm/worker/worker.c
@@ -724,6 +724,7 @@ static void *listener_thread(apr_thread_t *thd, void * dummy)
             }
             else {
                 ptrans = recycled_pool;
+                recycled_pool = NULL;
             }
             apr_pool_tag(ptrans, "transaction");
             rv = lr->accept_func(&csd, lr, ptrans);
@@ -760,11 +761,15 @@ static void *listener_thread(apr_thread_t *thd, void * dummy)
                     apr_socket_close(csd);
                     ap_log_error(APLOG_MARK, APLOG_CRIT, rv, ap_server_conf,
                                  "ap_queue_push failed");
+                    recycled_pool = ptrans;
                 }
                 else {
                     have_idle_worker = 0;
                 }
             }
+            else {
+                recycled_pool = ptrans;
+            }
         }
         else {
             if ((rv = SAFE_ACCEPT(apr_proc_mutex_unlock(accept_mutex)))