apache
Segmentation fault when APR_HAS_SHARED_MEMORY.
developers were passing apr_rmm_calloc() as an argument of the apr_rmm_addr_get function. However, there was no check regarding the apr_rmm_calloc result. This pattern happened three times in the same commit.
Bug fixed by commit d05e574ec26
| Type | NullDereference |
| Config | APR_HAS_SHARED_MEMORY (1st degree) |
| Fix-in | code |
| Location | modules/experimental/ |
#include <stdio.h>
#include <stdlib.h>
long rmm_addr = 99999999999999999;
char* apr_rmm_addr_get(char *ptr)
{
*ptr = '\0';
return ptr;
}
void util_ald_alloc()
{
#if APR_HAS_SHARED_MEMORY
/* allocate from shared memory */
char* buf = apr_rmm_addr_get((char*)calloc(rmm_addr, sizeof(char)));
printf("%s\n", buf);
#else
// do something
#endif
}
void util_ald_create_cache()
{
util_ald_alloc();
}
void util_ald_create_caches()
{
util_ald_create_cache();
}
int main(void)
{
util_ald_create_caches();
return 0;
}
diff --git a/apache/simple/d05e574.c b/apache/simple/d05e574.c
--- a/apache/simple/d05e574.c
+++ b/apache/simple/d05e574.c
@@ -13,7 +13,8 @@ void util_ald_alloc()
{
#if APR_HAS_SHARED_MEMORY
/* allocate from shared memory */
- char* buf = apr_rmm_addr_get((char*)calloc(rmm_addr, sizeof(char)));
+ char* block = (char*)calloc(rmm_addr, sizeof(char));
+ char* buf = block ? apr_rmm_addr_get(block) : NULL;
printf("%s\n", buf);
#else
// do something
. call modules/experimental/util_ldap_cache_mgr.c:211:util_ald_create_caches() . 219: util_ald_create_cache() .. call modules/experimental/util_ldap_cache_mgr.c:252:util_ald_create_cache() .. 281: util_ald_alloc() ... call modules/experimental/util_ldap_cache_mgr.c:95:util_ald_alloc() ... // if APR_HAS_SHARED_MEMORY is enabled ... // the result of apr_rmm_calloc will be dereferenced without checking if it is non NULL. ... ERROR 102: return (void *)apr_rmm_addr_get(cache->rmm_addr, apr_rmm_calloc(cache->rmm_addr, size));