[
https://issues.apache.org/jira/browse/AXIS2C-1378?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski resolved AXIS2C-1378.
-------------------------------------
Fix Version/s: 2.0.0
(was: 1.7.0)
Resolution: Fixed
Pre-compute and cache the qname string representation when the operation
qname is set. This ensures the string is allocated from the same allocator
that owns the qname (typically the global/configuration allocator).
Previously, if axutil_qname_to_string was called during request processing
(using a request-scoped allocator), the cached string would be freed when
the request pool was destroyed, causing use-after-free on subsequent
accesses.
> operation name is corruputed by the time it reaches dispatcher
> --------------------------------------------------------------
>
> Key: AXIS2C-1378
> URL: https://issues.apache.org/jira/browse/AXIS2C-1378
> Project: Axis2-C
> Issue Type: Bug
> Components: core/engine
> Reporter: Damitha N.M. Kumarage
> Priority: Major
> Fix For: 2.0.0
>
>
> I have following valgrind info when running Axis2/C with Apache module.
> ==8599== Invalid read of size 1
> ==8599== at 0x40276E8: strlen (mc_replace_strmem.c:242)
> ==8599== by 0x41866D7: vfprintf (in /lib/tls/i686/cmov/libc-2.9.so)
> ==8599== by 0x423E771: __vsnprintf_chk (in /lib/tls/i686/cmov/libc-2.9.so)
> ==8599== by 0x47A824E: axutil_log_impl_log_debug (stdio2.h:78)
> ==8599== by 0x46DE5DA: axis2_addr_disp_find_op (addr_disp.c:192)
> ==8599== by 0x46FFD6A: axis2_msg_ctx_find_op (msg_ctx.c:2094)
> ==8599== by 0x46DF6BA: axis2_disp_find_svc_and_op (disp.c:165)
> ==8599== by 0x46DE330: axis2_addr_disp_invoke (addr_disp.c:269)
> ==8599== by 0x46D784C: axis2_handler_invoke (handler.c:91)
> ==8599== by 0x46DD783: axis2_phase_invoke (phase.c:230)
> ==8599== by 0x46E0FFD: axis2_engine_invoke_phases (engine.c:691)
> ==8599== by 0x46E1A98: axis2_engine_receive (engine.c:249)
> ==8599== Address 0x4412ae0 is 6,800 bytes inside a block of size 8,192 free'd
> ==8599== at 0x4025DFA: free (vg_replace_malloc.c:323)
> ==8599== by 0x40D7289: apr_allocator_destroy (apr_pools.c:134)
> ==8599== by 0x46AEB35: axis2_handler (mod_axis2.c:381)
> ==8599== by 0x8081520: ap_run_handler (config.c:157)
> ==8599== by 0x8081C70: ap_invoke_handler (config.c:372)
> ==8599== by 0x80B78D3: ap_process_request (http_request.c:258)
> ==8599== by 0x80B46EC: ap_process_http_connection (http_core.c:190)
> ==8599== by 0x808A192: ap_run_process_connection (connection.c:43)
> ==8599== by 0x808A612: ap_process_connection (connection.c:178)
> ==8599== by 0x80F4C36: child_main (prefork.c:650)
> ==8599== by 0x80F4D29: make_child (prefork.c:690)
> ==8599== by 0x80F52CD: ap_mpm_run (prefork.c:966)
> You can reproduce this by running echo sample with the following code added
> to addr_disp.c
> if(op)
> {
> axutil_qname_t *qname = (axutil_qname_t *) axis2_op_get_qname(op,
> env);
> AXIS2_LOG_DEBUG(env->log, AXIS2_LOG_SI, "opname:%s",
> axutil_qname_to_string(qname, env));
> }
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
