apache
Use of already freed subrequest data could lead to segmentation fault.
Function cgi_handler may create a CGI bucket using a subrequest. Subrequests may last shorter than the main request, and thus the bucket may end up dereferencing already freed data.
Bug fixed by commit bbeb0516cf0
| Type | UseAfterFree |
| Config | APR_FILES_AS_SOCKETS (1st degree) |
| Fix-in | code |
| Location | modules/generators/ |
#include <stdlib.h>
#include <string.h>
void cgi_bucket_create(char *r)
{
strcat(r, "something");
}
void cgi_handler(char *r)
{
#if APR_FILES_AS_SOCKETS
cgi_bucket_create(r);
#endif
}
int main(void)
{
char *r = NULL;
cgi_handler(r);
return 0;
}
. call modules/generators/mod_cgi.c:724:cgi_handler() . // if APR_FILES_AS_SOCKETS is enabled . 908: b = cgi_bucket_create(r, ...); .. call modules/generators/mod_cgi.c:571:cgi_bucket_create() .. ERROR 604: data->r = r;