From fdc1e8413a28e424376dd344aefa660fd246548d Mon Sep 17 00:00:00 2001
From: Christophe Jaillet <jailletc36@apache.org>
Date: Sat, 18 Oct 2014 06:57:40 +0000
Subject: [PATCH] Merge r1599486 from trunk

mod_proxy_http: Avoid (unlikely) access to freed memory.

Submitted by: ylavic
Reviewed by: ylavic, jorton, rjung
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1632736 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                        |  2 ++
 STATUS                         | 13 -------------
 modules/proxy/mod_proxy_http.c |  1 -
 3 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index 55e07c094f..b76cfd0d28 100644
--- a/CHANGES
+++ b/CHANGES
@@ -13,6 +13,8 @@ Changes with Apache 2.4.11
      request headers earlier.  Adds "MergeTrailers" directive to restore
      legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
 
+  *) mod_proxy_http: Avoid (unlikely) access to freed memory. [Yann Ylavic]
+
   *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
        - to correctly reset bits
        - not to modify the 'method_mask' bitfield unnecessarily
diff --git a/STATUS b/STATUS
index eb754cede2..b3e0ad530c 100644
--- a/STATUS
+++ b/STATUS
@@ -108,19 +108,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works
      +1: jkaluza, ylavic, rjung
 
-   * mod_proxy_http: Avoid (unlikely) access to freed memory.
-     trunk patch: http://svn.apache.org/r1599486
-     2.4.x patch: trunk works
-     +1: ylavic, jorton, rjung (as is)
-     covener: I did not look in depth, but is the preceding log message also bad?
-     ylavic: No, this concerns the next for (;; e = APR_BUCKET_NEXT(e)) iteration.
-             We could also s/apr_bucket_delete/APR_BUCKET_REMOVE/ instead, but
-             stripping some (unhandled) buckets from the source brigade does
-             not look correct to me either (brigade *to is to be consumed, but
-             *from is still living, the caller may want to reuse it, eg:
-             https://issues.apache.org/bugzilla/attachment.cgi?id=31686).
-             Should we?
-
    * mod_proxy: Make worker name truncation a non-fatal error.
      trunk patch: http://svn.apache.org/r1621367
                   http://svn.apache.org/r1621372
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index b8f06c111e..a0b0650183 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -687,7 +687,6 @@ static apr_status_t proxy_buckets_lifetime_transform(request_rec *r,
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00964)
                           "Unhandled bucket type of type %s in"
                           " proxy_buckets_lifetime_transform", e->type->name);
-            apr_bucket_delete(e);
             rv = APR_EGENERAL;
         }
     }
-- 
2.40.0