apache
Segmentation fault when APR_HAS_SHARED_MEMORY.
cache->rmm_addr can be uninitialized on calling apr_rmm_addr_get, leading to a segfault.
Bug fixed by commit 9327311d30f
| Type | NullDereference |
| Config | APR_HAS_SHARED_MEMORY (1st degree) |
| Fix-in | code |
| Location | modules/experimental/ |
#include <string.h>
char *rmm_addr;
void util_ald_create_cache(char *rmm_addr)
{
#if APR_HAS_SHARED_MEMORY
strcat(rmm_addr, "something");
#else
// do something
#endif
}
void util_ald_create_caches(char *rmm_addr)
{
util_ald_create_cache(rmm_addr);
}
int main(void)
{
util_ald_create_caches(rmm_addr);
return 0;
}
. call modules/experimental/util_ldap.c:458:util_ldap_cache_comparedn() . 471: util_ldap_state_t *st = (util_ldap_state_t *)ap_get_module_config(r->server->module_config, &ldap_module); . // st->cache_rmm may be NULL . 482: curl = util_ald_create_caches(st, url); .. call modules/experimental/util_ldap_cache_mgr.c:211:util_ald_create_caches() .. 219: util_ald_create_cache() ... call modules/experimental/util_ldap_cache_mgr.c:252:util_ald_create_cache() ... // if APR_HAS_SHARED_MEMORY is enabled ... // apr_rmm_addr_get will dereference its first argument ... ERROR 267: apr_rmm_addr_get(st->cache_rmm, ...);