You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/08/16 17:35:05 UTC
[Bug 53730] New: Crash in mod_proxy_ajp with LogLevel trace7 or
trace8
https://issues.apache.org/bugzilla/show_bug.cgi?id=53730
Priority: P2
Bug ID: 53730
Assignee: bugs@httpd.apache.org
Summary: Crash in mod_proxy_ajp with LogLevel trace7 or trace8
Severity: normal
Classification: Unclassified
OS: Solaris
Reporter: rainer.jung@kippdata.de
Hardware: Sun
Status: NEW
Version: 2.4-HEAD
Component: mod_proxy_ajp
Product: Apache httpd-2
When requesting a non-existing file via mod_proxy_ajp with an error page of at
least 969 bytes in size I get a crash. I used Tomcat with standard Tomcat error
page as a back end (Tomcat trunk and TC 7 head). If the URI is short, the error
page is a bit shorter than 969 bytes and is shown. It the URI gets longer, the
error page size gets beyond 969 bytes and the crash happens.
For the short page, where there's no crash, the packet dump code in
ajp_msg_dump() returns early with APR_ENOMEM, because the buffer is to short.
There seems to be a miscalculation in this code.
When the page gets longer, the packet dump code goes through and the packet is
being logged and shortly after during the same request the crash happens. It
seems there is some memory corruption taking place around ajp_msg_dump().
When the log level is below trace7, the code in ajp_msg_dump() is ont being
executed. Need to investigate ajp_msg_dump() in detail.
This happens with prefork and event (worker not tested).
Backtrace:
#0 0xff0568c4 in _malloc_unlocked () from /lib/libc.so.1
No symbol table info available.
#1 0xff056684 in malloc () from /lib/libc.so.1
No symbol table info available.
#2 0xff2d453c in allocator_alloc (in_size=<optimized out>, allocator=0x147210)
at memory/unix/apr_pools.c:349
node = <optimized out>
ref = <optimized out>
max_index = <optimized out>
i = <optimized out>
size = 8192
index = 1
#3 apr_allocator_alloc (allocator=0x147210, size=<optimized out>) at
memory/unix/apr_pools.c:438
No locals.
#4 0xff347630 in apr_bucket_alloc (size=8016, list=0x1a7a30) at
buckets/apr_buckets_alloc.c:148
memnode = <optimized out>
node = <optimized out>
active = 0x1a7a18
endp = <optimized out>
#5 0xff346fe8 in apr_brigade_writev (b=0x1b81e0, flush=0, ctx=<optimized out>,
vec=0xffbfedd8, nvec=4) at buckets/apr_brigade.c:576
e = 0x1b81e4
total_len = 24
i = 0
buf = <optimized out>
#6 0x0005c7ec in basic_http_header (r=0x1a9a78, bb=0x1b81e0, protocol=0x700d8
"HTTP/1.1") at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/modules/http/http_filters.c:924
date = <optimized out>
proxy_date = <optimized out>
server = <optimized out>
us = 0x124700 "Apache/2.4.3-dev (Unix)"
h = {pool = 0x20, bb = 0x1}
vec = {{iov_base = 0x700d8, iov_len = 8}, {iov_base = 0x70098, iov_len
= 1}, {iov_base = 0x1b7b60, iov_len = 13}, {iov_base = 0x700f0, iov_len = 2}}
#7 0x0005ce90 in ap_http_header_filter (f=0x1aa610, b=0x1b7b28) at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/modules/http/http_filters.c:1283
r = 0x1a9a78
c = 0x1a5d00
protocol = 0x700d8 "HTTP/1.1"
e = <optimized out>
b2 = 0x1b81e0
h = {pool = 0x0, bb = 0x0}
ctx = 0x0
ctype = <optimized out>
eb = <optimized out>
#8 0x000349e0 in ap_pass_brigade (next=0x1aa610, bb=0x1b7b28) at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/server/util_filter.c:533
e = <optimized out>
#9 0x00038960 in ap_content_length_filter (f=0x1aa5f8, b=0x1b7b28) at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/server/protocol.c:1424
r = 0x1a9a78
ctx = 0x1b8170
e = <optimized out>
eblock = APR_NONBLOCK_READ
#10 0x000349e0 in ap_pass_brigade (next=0x1aa5f8, bb=bb@entry=0x1b7b28) at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/server/util_filter.c:533
e = <optimized out>
#11 0x0005ea4c in ap_byterange_filter (f=0x1aa5e0, bb=0x1b7b28) at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/modules/http/byterange_filter.c:496
r = 0x1a9a78
c = 0x1a5d00
e = <optimized out>
bsend = <optimized out>
tmpbb = <optimized out>
range_start = <optimized out>
range_end = <optimized out>
clength = <optimized out>
found = 0
num_ranges = 0
bound_head = 0x0
indexes = <optimized out>
idx = <optimized out>
i = <optimized out>
original_status = <optimized out>
max_ranges = 200
max_overlaps = 20
max_reversals = 20
overlaps = 0
reversals = 0
core_conf = <optimized out>
#12 0x000349e0 in ap_pass_brigade (next=0x1aa5e0, bb=0x1b7b28) at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/server/util_filter.c:533
e = <optimized out>
#13 0xfee4368c in proxy_ajp_handler (r=0x1a9a78, worker=<optimized out>,
conf=0xf30a0, url=<optimized out>, proxyname=0x0, proxyport=<optimized out>)
at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/modules/proxy/mod_proxy_ajp.c:510
locurl = 0x1ab098 "/23"
status = <optimized out>
server_portstr =
":9080\000RÈ\000\032]\000\000\032\232x\000\032\232x\000\000\000\000þç\006p\000\000\004,"
backend = 0x163410
retry = <optimized out>
dconf = 0xf3890
p = <optimized out>
uri = <optimized out>
#14 0xfee64800 in proxy_run_scheme_handler (r=0x1a9a78, worker=0xf34a0,
conf=0xf30a0, url=0x1aaff6 "ajp://localhost:8009/23", proxyhost=0x0,
proxyport=<optimized out>)
at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/modules/proxy/mod_proxy.c:2546
n = 0
rv = <optimized out>
#15 0xfee69260 in proxy_handler (r=0x1a9a78) at
/shared/build/dev/httpd/svn/httpd/branches/2.4.x/modules/proxy/mod_proxy.c:1072
url = 0x1aaff6 "ajp://localhost:8009/23"
uri = 0x1aaff6 "ajp://localhost:8009/23"
scheme = 0x1ab010 "ajp"
p = 0x1aaff9 "://localhost:8009/23"
p2 = 0xf33c0 ""
conf = 0xf30a0
proxies = 0xf3158
i = 1748985
access_status = 0
maxfwd = <optimized out>
balancer = 0x0
worker = 0xf34a0
attempts = 0
max_attempts = 0
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53730] Crash in mod_proxy_ajp with LogLevel trace7 or trace8
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53730
--- Comment #1 from Rainer Jung <ra...@kippdata.de> ---
Fixed in trunk in r1373898 and proposed for backport to 2.4.x. 2.2 is not
affected.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53730] Crash in mod_proxy_ajp with LogLevel trace7 or trace8
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53730
Jim Jagielski <ji...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org