Hi Steffen,
On Mon, Mar 12, 2018 at 11:52 AM, Steffen <i...@apachelounge.com> wrote:
>
> A way back in 2015 I pointed this error before here:
>
> http://apache-http-server.18135.x6.nabble.com/2-4-17-dev-crash-libapr-1-dll-tt5024061.html#none
>
>
> Quote from Yann there:
>
> Answer from a Apache-dev: puzzled about how node->next (ie.
> pool->active->next->next) can be NULL, this is supposed to be a ring
> (AFAICT)... The other pointers don't seem to be corrupted.
>
>
> Still the error is there, maybe you can help to find the cause.
>
> The issues I reported latest
> https://github.com/SpiderLabs/ModSecurity/issues/1542
>
> For 2.4.32 same issues.
>
> Older reported same issue
> https://github.com/SpiderLabs/ModSecurity/issues/940
I think that this comment in ap_process_request() does not hold anymore:
/*
* Notice a timeout as an error message. This might be
* valuable for detecting clients with broken network
* connections or possible DoS attacks.
*
* It is still safe to use r / r->pool here as the eor bucket
* could not have been destroyed in the event of a timeout.
*/
ap_log_rerror(APLOG_MARK, APLOG_INFO, rv, r, APLOGNO(01581)
"Timeout while writing data for URI %s to the"
" client", r->unparsed_uri);
since ap_process_async_request() (called just before) has destroyed
the EOR bucket in any case.
IOW, 'r' can't be used here if the connection was already in error state.
Can you still reproduce with this patch:
Index: modules/http/http_request.c
===================================================================
--- modules/http/http_request.c (revision 1826315)
+++ modules/http/http_request.c (working copy)
@@ -470,7 +470,7 @@ AP_DECLARE(void) ap_process_request(request_rec *r
ap_process_async_request(r);
- if (!c->data_in_input_filters) {
+ if (!c->data_in_input_filters && !c->aborted) {
bb = apr_brigade_create(c->pool, c->bucket_alloc);
b = apr_bucket_flush_create(c->bucket_alloc);
APR_BRIGADE_INSERT_HEAD(bb, b);
?
Regards,
Yann.
