From 509be649405f04bba62b747cc806f30b07a2dafc Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 11 Nov 2014 11:45:35 +0000 Subject: [PATCH] Merge r1632740 from trunk: mod_cache: avoid unlikely access to freed memory. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1638070 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 ++- STATUS | 7 ------- modules/cache/mod_cache.c | 7 ++----- 3 files changed, 4 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index f89bb8806a..ef071c5c9b 100644 --- a/CHANGES +++ b/CHANGES @@ -46,7 +46,8 @@ Changes with Apache 2.4.11 *) mod_dav: Set r->status_line in dav_error_response. PR 55426. - *) mod_proxy_http: Avoid (unlikely) access to freed memory. [Yann Ylavic] + *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory. + [Yann Ylavic, Christophe Jaillet] *) http_protocol: fix logic in ap_method_list_(add|remove) in order: - to correctly reset bits diff --git a/STATUS b/STATUS index e7090fb2a2..adf9e5e81a 100644 --- a/STATUS +++ b/STATUS @@ -102,13 +102,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_cache: Avoid another (unlikely) access to freed memory. - trunk patch: http://svn.apache.org/r1632740 - 2.4.x patch: http://people.apache.org/~ylavic/httpd-2.4.x-apr_bucket_delete_new_fix.patch - +1: ylavic, jailletc36, trawick - ylavic: No CHANGES entry is added but rather the existing one for the same - issue in mod_proxy_http (2.4.11's backport r1632736) has been modified. - * core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. PR 57167 trunk patch: http://svn.apache.org/r1635762 diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c index 0c3b5f9702..b95f0a8a5a 100644 --- a/modules/cache/mod_cache.c +++ b/modules/cache/mod_cache.c @@ -641,7 +641,6 @@ static int cache_handler(request_rec *r) static apr_status_t cache_out_filter(ap_filter_t *f, apr_bucket_brigade *in) { request_rec *r = f->r; - apr_bucket *e; cache_request_rec *cache = (cache_request_rec *)f->ctx; if (!cache) { @@ -657,10 +656,8 @@ static apr_status_t cache_out_filter(ap_filter_t *f, apr_bucket_brigade *in) "cache: running CACHE_OUT filter"); /* clean out any previous response up to EOS, if any */ - for (e = APR_BRIGADE_FIRST(in); - e != APR_BRIGADE_SENTINEL(in); - e = APR_BUCKET_NEXT(e)) - { + while (!APR_BRIGADE_EMPTY(in)) { + apr_bucket *e = APR_BRIGADE_FIRST(in); if (APR_BUCKET_IS_EOS(e)) { apr_bucket_brigade *bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); -- 2.40.0