On Tue, Jan 26, 1999, [EMAIL PROTECTED] wrote:
> Full_Name: Bryan Mawhinney
> Version: 2.1.8-1.3.4
> OS: Slackware Linux 3.6
> Submission from: (NULL) (196.23.0.42)
>
> Apache with mod_ssl and SSL session cache was seg faulting on most (but not all)
> transfers, in a similar manner to that which other Linux users have described
> (eg, PR# 57, 58, 74 and 78). Disabling the session cache fixes the problem, but
> we don't want to do that.
>
> We compiled with -g -ggdb3 and ran as non-root on port 8443. gdb of the
> resulting core file showed that the fault occurs in memcpy, but doesn't show the
> call stack (as with PR#74). Perhaps memcpy is corrupting the stack?
>
> We recompiled mod_ssl and forced it to use the builtin SDBM (by renaming libdbm)
> and the seg faults have disappeared. We're happy with this solution, but
> thought this info might help you identify the problem.
This then means that the results of the NDBM library under those Linux boxes
is strange or bogus in some situations. I've now added extra checks for the
datum.dsize and made the code even more robust. Please apply the appended
patch to ssl_engine_scache.c and try it out again with your vendor NDBM
library. It should now no longer dump core.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: ssl_engine_scache.c
===================================================================
RCS file: /e/apache/SSL/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_scache.c,v
retrieving revision 1.19
diff -u -r1.19 ssl_engine_scache.c
--- ssl_engine_scache.c 1999/01/02 16:46:16 1.19
+++ ssl_engine_scache.c 1999/01/27 09:11:48
@@ -257,10 +257,12 @@
dbmkey.dsize = SCI->nKey;
/* create DBM value */
- dbmval.dsize = sizeof(SCI->tExpiresAt)+SCI->nData;
+ dbmval.dsize = sizeof(time_t)+SCI->nData;
dbmval.dptr = (UCHAR *)malloc(dbmval.dsize);
- memcpy(dbmval.dptr, &SCI->tExpiresAt, sizeof(SCI->tExpiresAt));
- memcpy((char *)dbmval.dptr+sizeof(SCI->tExpiresAt), SCI->ucaData, SCI->nData);
+ if (dbmval.dptr == NULL)
+ return;
+ memcpy(dbmval.dptr, &SCI->tExpiresAt, sizeof(time_t));
+ memcpy((char *)dbmval.dptr+sizeof(time_t), SCI->ucaData, SCI->nData);
/* and store it to the DBM file */
ssl_mutex_on();
@@ -313,15 +315,18 @@
ssl_mutex_off();
/* immediately return if not found */
- if (dbmval.dptr == NULL)
+ if (dbmval.dptr == NULL || dbmval.dsize < sizeof(time_t))
return;
/* copy over the information to the SCI */
- SCI->nData = dbmval.dsize-sizeof(SCI->tExpiresAt);
- SCI->ucaData = (UCHAR *)malloc(dbmval.dsize-sizeof(SCI->tExpiresAt));
- memcpy(SCI->ucaData, (char *)dbmval.dptr+sizeof(SCI->tExpiresAt),
- dbmval.dsize-sizeof(SCI->tExpiresAt));
- memcpy(&SCI->tExpiresAt, dbmval.dptr, sizeof(SCI->tExpiresAt));
+ SCI->nData = dbmval.dsize-sizeof(time_t);
+ SCI->ucaData = (UCHAR *)malloc(SCI->nData);
+ if (SCI->ucaData == NULL) {
+ SCI->nData = 0;
+ return;
+ }
+ memcpy(SCI->ucaData, (char *)dbmval.dptr+sizeof(time_t), SCI->nData);
+ memcpy(&SCI->tExpiresAt, dbmval.dptr, sizeof(time_t));
return;
}
@@ -385,7 +390,13 @@
dbmkey = ssl_dbm_firstkey(dbm);
for ( ; dbmkey.dptr != NULL; dbmkey = ssl_dbm_nextkey(dbm)) {
dbmval = ssl_dbm_fetch(dbm, dbmkey);
- memcpy(&tExpiresAt, dbmval.dptr, sizeof(tExpiresAt));
+ if (dbmval.dptr == NULL)
+ continue;
+ if (dbmval.dsize < sizeof(time_t)) {
+ ssl_dbm_delete(dbm, dbmkey);
+ continue;
+ }
+ memcpy(&tExpiresAt, dbmval.dptr, sizeof(time_t));
if (tExpiresAt >= tNow)
ssl_dbm_delete(dbm, dbmkey);
}
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
