From: Cliff Woolley Date: Fri, 24 Aug 2001 20:27:40 +0000 (+0000) Subject: Fix a double-free condition when byterange requests are made on brigades X-Git-Tag: 2.0.25~68 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=64dd7641e71b31bc1c3bcfea12c4dfbecf367ae2;p=apache Fix a double-free condition when byterange requests are made on brigades containing any bucket that cannot be copied natively (ie, pipe or socket buckets). Before, we were reading that bucket to morph it to a heap bucket and then taking the str that heap bucket points to and placing it in a second, completely separate heap bucket. That means we'd have two apr_bucket/ apr_bucket_heap pairs each with a refcount of 1 (rather than two apr_buckets and a single apr_bucket_heap with a refcount of 2). str would then be doubly-freed when the second of those two buckets was destroyed. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90648 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c index 635c52eaaa..0229296906 100644 --- a/modules/http/http_protocol.c +++ b/modules/http/http_protocol.c @@ -2468,8 +2468,13 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_byterange_filter( apr_size_t len; if (apr_bucket_copy(ec, &foo) != APR_SUCCESS) { + /* we assume here that if copy failed we can morph + * the bucket into a copyable one by reading it... normally + * copy won't return anything but APR_SUCCESS or APR_ENOTIMPL + */ + /* XXX: check for failure? */ apr_bucket_read(ec, &str, &len, APR_BLOCK_READ); - foo = apr_bucket_heap_create(str, len, 0, NULL); + apr_bucket_copy(ec, &foo); } APR_BRIGADE_INSERT_TAIL(bsend, foo); ec = APR_BUCKET_NEXT(ec);