Johannes Erdfelt <[EMAIL PROTECTED]> writes: > Problem 1: > In worker_thread, there is a variable called csd that is used to get > the new socket from lr->accept_func(). If that variable is NULL, then > the memory for the new socket is allocated in the per-transaction pool. > Unfortunately, the code neglected to reset the variable to NULL after > servicing a request. The result is that the first request for each > thread worked fine, but subsequent request may have the memory > overwritten and resulting in an invalid FD. > > Solution: > Set it to NULL before calling lr->accept_func(). Implemented in the patch > below.
I cleared that storage just before the call to apr_os_sock_put() so that the reason is more obvious. > Problem 2: > pass_request fills out an iovec with the headers and the body of the > request it wants to pass to another process. It unfortunately uses the > wrong variable for the length causing it to always be 0. > > Solution: > Use the correct variable name "l". len is never set to anything so I removed > that and used 0 in the one reference to it. Implemented in the patch below. applied, but I made another fix (?) too... see my note below, and let me know if it is bad :) > Problem 3: > receive_from_other_child assumes that the iovec is the same on read as > it is on write. This isn't true and readmsg() follows readv() semantics. > iovec is a scatter/gather list and as a result, the 2 send buffers are > merged into one received buffer with the second always being untouched. > It also trusted the lengths in iov.iov_len which will be the size of the > original buffer, not the size of the data actually received. > > Solution: > Merge the 2 buffer's into 1 and find the null terminators for the 2 strings. > Implemented in the patch below. fix applied as-is > Index: perchild.c > @@ -1635,7 +1645,6 @@ > apr_bucket_brigade *bb = apr_brigade_create(r->pool, c->bucket_alloc); > apr_bucket_brigade *sockbb; > char request_body[HUGE_STRING_LEN] = "\0"; > - apr_off_t len = 0; looks to me like len should be initialized to sizeof(request_body) since on input to apr_brigade_flatten it should have the maximum length of the char array Thanks! -- Jeff Trawick | [EMAIL PROTECTED] Born in Roswell... married an alien...