On 17 Aug 2001 17:21:16 -0400, Jeff Trawick wrote:
>[EMAIL PROTECTED] writes:
>
>> trawick 01/08/17 13:41:15
>>
>> Modified: modules/filters mod_include.c
>> Log:
>> Fix a problem in mod_include when we reached the BYTE_COUNT_THRESHOLD
>> after parsing the first part of the tag. We could get errors like
>>
>> [error] [client 127.0.0.1] unknown directive "<!" in parsed doc filename
>
>At this point, I think a certain class of errors are taken care of
>(encountering BYTE_COUNT_THRESHOLD at different places within the
>tag). I've tested tag offsets from 1 to 10000 bytes and some selected
>ones above that
>
>I don't think we handle a tag longer than BYTE_COUNT_THRESHOLD.
>Paul mentioned off-line that he would look into that. I doubt that is
>necessary for the short term.
I'm seeing a SEGV when parsing a file > 8192 bytes (even 1 byte greater).
Notable points:
- Stack is trashed, can't get a backtrace
- The client receives the full & correct response
- Appears to be a call to a null function pointer (EIP=0 in trap log),
destroying the buckets. It could just be a symptom of other corruption
though.
- It still crashes even if the output is shorter than 8192 due to tag
parsing.
This is on OS/2 where there's no mmap or sendfile. We've seen before that
the non-mmap code path is different enough to have its own bugs....
--
______________________________________________________________________________
| Brian Havard | "He is not the messiah! |
| [EMAIL PROTECTED] | He's a very naughty boy!" - Life of Brian |
------------------------------------------------------------------------------
