From ebbed360373f656d32c5b166adcd458d4bb5e668 Mon Sep 17 00:00:00 2001 From: Christophe Jaillet Date: Sun, 16 Nov 2014 05:55:14 +0000 Subject: [PATCH] avoid dereferencing a recently apr_pool_clear()'ed event_conn_state_t *cs in several paths where ptrans is being recycled at the end of a request. Same as r1638879 which was for the event MPM. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1639960 13f79535-47bb-0310-9956-ffa450edef68 --- server/mpm/eventopt/eventopt.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/server/mpm/eventopt/eventopt.c b/server/mpm/eventopt/eventopt.c index 56f69743fb..b3ac01c310 100644 --- a/server/mpm/eventopt/eventopt.c +++ b/server/mpm/eventopt/eventopt.c @@ -820,11 +820,12 @@ static int process_pollop(pollset_op_t *op) rv = apr_pollset_add(event_pollset, &op->cs->pfd); if (rv != APR_SUCCESS && !APR_STATUS_IS_EEXIST(rv)) { + apr_pool_t *p = cs->p; ap_log_error(APLOG_MARK, APLOG_ERR, rv, ap_server_conf, APLOGNO(00467) "%s: apr_pollset_add failure", op->tag); apr_socket_close(cs->pfd.desc.s); apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); return 0; } return 1; @@ -910,8 +911,9 @@ static int start_lingering_close(event_conn_state_t *cs, ap_equeue_t *eq) static int start_lingering_close_blocking(event_conn_state_t *cs, ap_equeue_t *eq) { if (ap_start_lingering_close(cs->c)) { + apr_pool_t *p = cs->p; apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); return 0; } return start_lingering_close(cs, eq); @@ -935,9 +937,10 @@ static int start_lingering_close_nonblocking(event_conn_state_t *cs, ap_equeue_t if (c->aborted || ap_shutdown_conn(c, 0) != APR_SUCCESS || c->aborted || apr_socket_shutdown(csd, APR_SHUTDOWN_WRITE) != APR_SUCCESS) { + apr_pool_t *p = cs->p; apr_socket_close(csd); apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); return 0; } return start_lingering_close(cs, eq); @@ -953,6 +956,7 @@ static int stop_lingering_close(event_conn_state_t *cs, ap_equeue_t *eq) { apr_status_t rv; apr_socket_t *csd = ap_get_conn_socket(cs->c); + apr_pool_t *p = cs->p; ap_log_error(APLOG_MARK, APLOG_TRACE4, 0, ap_server_conf, "socket reached timeout in lingering-close state"); rv = apr_socket_close(csd); @@ -961,7 +965,7 @@ static int stop_lingering_close(event_conn_state_t *cs, ap_equeue_t *eq) AP_DEBUG_ASSERT(0); } apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); return 0; } @@ -1311,6 +1315,7 @@ static apr_status_t push2worker(const apr_pollfd_t * pfd, rc = ap_queue_push(worker_queue, cs->pfd.desc.s, cs, cs->p); if (rc != APR_SUCCESS) { + apr_pool_t *p = cs->p; /* trash the connection; we couldn't queue the connected * socket to a worker */ @@ -1319,7 +1324,7 @@ static apr_status_t push2worker(const apr_pollfd_t * pfd, ap_log_error(APLOG_MARK, APLOG_CRIT, rc, ap_server_conf, APLOGNO(00471) "push2worker: ap_queue_push failed"); apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); } return rc; @@ -1431,6 +1436,7 @@ static void process_lingering_close(event_conn_state_t *cs, const apr_pollfd_t * apr_size_t nbytes; apr_status_t rv; struct timeout_queue *q; + apr_pool_t *p = cs->p; q = (cs->pub.state == CONN_STATE_LINGER_SHORT) ? &short_linger_q : &linger_q; /* socket is already in non-blocking state */ @@ -1453,7 +1459,7 @@ static void process_lingering_close(event_conn_state_t *cs, const apr_pollfd_t * TO_QUEUE_ELEM_INIT(cs); apr_pool_clear(cs->p); - ap_push_pool(worker_queue_info, cs->p); + ap_push_pool(worker_queue_info, p); } /* call 'func' for all elements of 'q' with timeout less than 'timeout_time'. -- 2.50.1