www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Saccoccio <r...@InfiniteTechnology.com>
Subject apache-api/2252: add_cgi_vars() doesn't destroy memory allocated by sub_req_lookup_uri()
Date Tue, 19 May 1998 13:47:48 GMT

>Number:         2252
>Category:       apache-api
>Synopsis:       add_cgi_vars() doesn't destroy memory allocated by sub_req_lookup_uri()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue May 19 06:50:00 PDT 1998
>Last-Modified:
>Originator:     robs@InfiniteTechnology.com
>Organization:
apache
>Release:        1.2.6 & 1.3b5
>Environment:
The problem report is based upon source code.
>Description:
add_cgi_vars() doesn't call destroy_sub_req(pa_req) to
destroy the memory allocated to the subrequest by 
sub_req_lookup_uri().

A comment in the code makes it pretty clear:

	/* Don't bother destroying pa_req --- it's only
	created in * child processes which are about to
	jettison their address * space anyway.  BTW, we
	concatenate filename and path_info * from the
	sub_request to be compatible in case the PATH_INFO *
	is pointing to an object which doesn't exist. */ .

This function is used by the fastcgi module, and
its address space is not jettisoned upon completion
of the request.  The problem is in both the v1.3b5 and
1.2.6 baselines.
>How-To-Repeat:
Have a look at add_cgi_vars() in util_script.c.  Its quite obvious.
>Fix:
Add "destroy_sub_req(pa_req);" after the "if (pa_req->filename) {...}"
conditional.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message