You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@apr.apache.org by bu...@apache.org on 2010/09/30 11:19:56 UTC

DO NOT REPLY [Bug 48620] Bucket split overwriting existing buckets - leading to memory corruption and crash

https://issues.apache.org/bugzilla/show_bug.cgi?id=48620

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Joe Orton <jo...@redhat.com> 2010-09-30 05:19:50 EDT ---
You are using apr_bucket_destroy() when apr_bucket_delete() is generally
appropriate.

Using _destroy() in place of _delete() means that adjacent buckets may retain
references to the destroyed bucket, which can lead to memory corruption. 
Fixing this in your test case fixes the crash, so I expect it is the likely
cause, though the test case is too complex to be sure.

Doing a memset() on the data returned by a bucket read has undefined behaviour:
it is const data and you are casting away that const.

If you can come up with a minimal test case which:

a) *does* check return values
b) doesn't deliberately violate API constraints

please re-open.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@apr.apache.org
For additional commands, e-mail: bugs-help@apr.apache.org