Bug 27945 - Memory violations in 'ssl_io_filter_cleanup(..)' crashes the server
Summary: Memory violations in 'ssl_io_filter_cleanup(..)' crashes the server
Status: CLOSED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.0.49
Hardware: Other other
: P3 critical (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
: 28512 28577 29073 29277 29690 29788 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-03-25 14:25 UTC by keilh
Modified: 2014-02-17 13:43 UTC (History)
5 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description keilh 2004-03-25 14:25:09 UTC
Situation/Reproducing:

A client is sending a request over SSL. Before the first byte of 
the response is writen the client is closing the connection (stop button
pressed).
(error_log: [info] (32)Broken pipe: core_output_filter: writing data to the
network)

If in that situation the 'ssl_io_filter_cleanup' handler will be invoked, he is 
trying to send a SSL shutdown message. By that a memory violations occurs. See
the following stack:

   dummy_worker(opaque = 0x170fc0)
   worker_thread(thd = 0x170fc0, dummy = 0x1b1110)
   apr_pool_clear(pool = 0x255cc0)
   run_cleanups(cref = 0x255cd0)
   ssl_io_filter_cleanup(data = 0x256148)
   ssl_filter_io_shutdown(filter_ctx = 0x256148, c = 0x255de8, abortive = 0)
   SSL_smart_shutdown(ssl = 0x279268)
   ssl3_shutdown(0x279268, 0x0, 0xfe3562e0, 0xfdbf8000, 0xfffffff8, 0x274b50)
   ssl3_send_alert(0x279268, 0x279ba8, 0x1, 0x3, 0x0, 0x2)
   ssl3_write_pending(0x279268, 0x15, 0x15, 0x2, 0x0, 0x279cf4)
   BIO_write(0x260070, 0x27f790, 0x17, 0xff33ac84, 0xff1f655c, 0x0)
   bio_filter_out_write(bio = 0x260070, in = 0x27f790 "^U^C^A", inl = 23)
   bio_filter_out_flush(bio = 0x260070)
   ap_pass_brigade(next = 0x25c118, bb = 0x25f098)
   core_output_filter(f = 0x25c118, b = 0x260108)
   apr_pool_clear(pool = 0x2600d0)
   allocator_free(allocator = 0x1b3e50, node = (nil)) <-!!!!!!!!!
                                        

Fixes:
There are two possible fixes: 

a) Point fix in ssl_io_filter_cleanup: 
   Free only the SSL struct, but do not send any SSL shutdown.

b) Generel fix in allocator_free:
   Check if the parameter 'apr_memnode_t *node' is NULL
  


Patches:
a)
Index: modules/ssl/ssl_engine_io.c
===================================================================
RCS file:
/opt/projects/CVSROOT/navajo/src/org/apache/httpd-2.X/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.8
diff -r1.8 ssl_engine_io.c
1080,1084c1080,1081
<     c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl);
<     if ((ret = ssl_filter_io_shutdown(filter_ctx, c, 0)) != APR_SUCCESS) {
<         ap_log_error(APLOG_MARK, APLOG_INFO, ret, NULL,
<                      "SSL filter error shutting down I/O");
<     }
---
>       SSL_free(filter_ctx->pssl);
>       filter_ctx->pssl = NULL;
1086c1083
<     return ret;
---
>     return APR_SUCCESS;



b) 

Index: srclib/apr/memory/unix/apr_pools.c
===================================================================
RCS file:
/opt/projects/CVSROOT/navajo/src/org/apache/httpd-2.X/srclib/apr/memory/unix/apr_pools.c,v
retrieving revision 1.3
diff -r1.3 apr_pools.c
309a310,312
>       if(!node)
>               return;
>
Comment 1 Joe Orton 2004-03-26 09:23:44 UTC
Thanks for the report.  Something similar to (a) was checked in already:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.121&r2=1.122
Comment 2 Joe Orton 2004-05-25 19:13:56 UTC
*** Bug 28577 has been marked as a duplicate of this bug. ***
Comment 3 Joe Orton 2004-05-25 19:15:20 UTC
*** Bug 29073 has been marked as a duplicate of this bug. ***
Comment 4 Joe Orton 2004-06-01 21:21:24 UTC
*** Bug 28512 has been marked as a duplicate of this bug. ***
Comment 5 Joe Orton 2004-06-20 08:08:42 UTC
*** Bug 29690 has been marked as a duplicate of this bug. ***
Comment 6 Joe Orton 2004-06-25 15:00:41 UTC
*** Bug 29788 has been marked as a duplicate of this bug. ***
Comment 7 Joe Orton 2005-03-10 14:44:29 UTC
*** Bug 29277 has been marked as a duplicate of this bug. ***