[apache2] 04/05: mod_proxy: Fix crashes under high load with threaded mpms
Stefan Fritsch
sf at moszumanska.debian.org
Sun May 25 15:43:59 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch wheezy
in repository apache2.
commit b623312df61c601418d47bf98179b140598830f5
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sun May 25 17:34:57 2014 +0200
mod_proxy: Fix crashes under high load with threaded mpms
---
debian/changelog | 5 ++-
debian/patches/mod_proxy-crash-PR_50335.patch | 46 +++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 9163d66..94ebea3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,7 +13,10 @@ apache2 (2.2.22-13+deb7u2) UNRELEASED; urgency=medium
* mod_log_config: Fix a bug that cookies whose values contain '=' would
only be logged partially. This is related to CVE-2014-0098, but Apache
- 2.2.22 is not vulnerable to that issue.
+ 2.2.22 is not vulnerable to this issue.
+
+ * mod_proxy: Fix crashes under high load with threaded mpms.
+ https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
-- Stefan Fritsch <sf at debian.org> Sun, 30 Mar 2014 10:40:41 +0200
diff --git a/debian/patches/mod_proxy-crash-PR_50335.patch b/debian/patches/mod_proxy-crash-PR_50335.patch
new file mode 100644
index 0000000..c320852
--- /dev/null
+++ b/debian/patches/mod_proxy-crash-PR_50335.patch
@@ -0,0 +1,46 @@
+# https://svn.apache.org/r1576714
+# https://svn.apache.org/r1573067
+# https://issues.apache.org/bugzilla/show_bug.cgi?id=50335
+#
+# Fix crashes in mod_proxy with threaded mpms under high load
+#
+--- apache2.orig/modules/proxy/mod_proxy_http.c
++++ apache2/modules/proxy/mod_proxy_http.c
+@@ -267,6 +267,9 @@
+ if (transferred != -1)
+ conn->worker->s->transferred += transferred;
+ status = ap_pass_brigade(origin->output_filters, bb);
++ /* Cleanup the brigade now to avoid buckets lifetime
++ * issues in case of error returned below. */
++ apr_brigade_cleanup(bb);
+ if (status != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
+ "proxy: pass request body failed to %pI (%s)",
+@@ -286,7 +289,6 @@
+ return HTTP_BAD_REQUEST;
+ }
+ }
+- apr_brigade_cleanup(bb);
+ return OK;
+ }
+
+@@ -709,7 +711,7 @@
+ int force10, rv;
+ apr_table_t *headers_in_copy;
+
+- header_brigade = apr_brigade_create(p, origin->bucket_alloc);
++ header_brigade = apr_brigade_create(p, bucket_alloc);
+
+ /*
+ * Send the HTTP/1.1 request to the remote server
+@@ -1864,6 +1866,10 @@
+ }
+ } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES));
+
++ /* We have to cleanup bb brigade, because buckets inserted to it could be
++ * created from scpool and this pool can be freed before this brigade. */
++ apr_brigade_cleanup(bb);
++
+ /* See define of AP_MAX_INTERIM_RESPONSES for why */
+ if (interim_response >= AP_MAX_INTERIM_RESPONSES) {
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY,
diff --git a/debian/patches/series b/debian/patches/series
index 0db7751..1c798c8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,3 +41,4 @@ mod_dav_crash_PR_52559.patch
mod_dav-CVE-2013-6438.patch
cookie-logging-CVE-2014-0098.diff
SSL-ECC.patch
+mod_proxy-crash-PR_50335.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list