On Mon, Jul 6, 2020 at 11:56 AM Yann Ylavic <ylavic....@gmail.com> wrote:
> >
> > In the previous code the first condition in the if was always true, and I
> > am not sure what happened with the second condition in
> > case e was the sentinel.
>
> AIUI, dereferencing the SENTINEL is not accessing unreserved/freed
> memory, it's accessing the RING/BRIGADE head (here bb->list the
> placeholder for `struct {apr_bucket *next, *prev;}`) as if it were an
> apr_bucket (given that struct apr_bucket has its own head/placeholder,
> e->type is `sizeof(apr_bucket*)` bytes after bb->list)).
s/`sizeof(apr_bucket*)` bytes/just/
> That's `apr_bucket_alloc_t *bucket_alloc` in struct
> apr_bucket_brigade, so quite unlikely to be &apr_bucket_type_eos.
> Finally APR_BUCKET_IS_{EOS,}(e) on an EMPTY brigade is always false
> with the current struct apr_bucket_brigade API. Just a bit fragile :)
>
>
> Regards;
> Yann.
