I am having trouble with the stability of OpenSSL 0.9.6 under
Apache 1.3.19 on Windows (2000, NT, 98, Me).
I'm wondering if anyone has investigated and fixed a race
between deallocation of the read request pool and the expiration
of a recvwithtimeout. This seems to be related to the problem.
I am using OpenSSL with mod_rewrite, mod_auth, and JServ. One
of these other modules may well be the culprit. I'm dealing with
three different crashes that all seem to be related to use of
unallocated memory. I can cause one of these crashes without
mod_rewrite present. I think I have seen a different crash
with JServ out of the picture (but still configured). Sorry
about the vagueness on that one, some of these are pretty
infrequent... All of the crashes share a footprint that looks
like a failure in ap_ctx_get due to use of a garbage pointer
from within SSL_recvwithtimeout\ssl_io_suck_read, in this
code fragment:
actx = (ap_ctx *)SSL_get_app_data2(ssl);
if (actx != NULL)
r = (request_rec *)ap_ctx_get(actx, "ssl::request_rec"); // r has been freed.
rv = -1;
if (r != NULL) {
ss = ap_ctx_get(r->ctx, "ssl::io::suck"); // r->ctx is garbage
I have appended some information from BoundsChecker. I will
continue to investigate but I thought someone who knows something
might have already fixed the problem :-)
The way I got this was to set a breakpoint in mod_auth's
authenticate_basic_user method. Then I start a new Internet
Explorer 5.01 and ask for a JServ servlet page that requires
authentication. I get the "secure session" prompt, say yes,
and hit the breakpoint in the authentication routine. I let
Apache sit there a while. Meanwhile the browser has displayed
my certificate since it is not in a valid trust chain (I think
the browser aborted its session with Apache when it displayed
the certificate). After sitting there a few seconds, I resume
Apache and get the BoundsChecker complaint:
Expression uses dangling pointer
PTR: 0x01B61AE0
Location of Error
ap_ctx_get d:\apache\apache\src\ap\ap_ctx.c 127
ssl_io_suck_read D:\apache\apache\src\modules\ssl\ssl_engine_io.c 261
SSL_recvwithtimeout D:\apache\apache\src\modules\ssl\ssl_engine_io.c 567
ssl_io_hook_recvwithtimeout D:\apache\apache\src\modules\ssl\ssl_engine_io.c
460
ap_hook_call_func d:\apache\apache\src\ap\ap_hook.c 649
ap_hook_call d:\apache\apache\src\ap\ap_hook.c 382
buff_read d:\apache\apache\src\main\buff.c 299
saferead_guts d:\apache\apache\src\main\buff.c 702
read_with_errors d:\apache\apache\src\main\buff.c 753
ap_bgets d:\apache\apache\src\main\buff.c 906
getline d:\apache\apache\src\main\http_protocol.c 834
read_request_line d:\apache\apache\src\main\http_protocol.c 957
ap_read_request d:\apache\apache\src\main\http_protocol.c 1119
child_sub_main d:\apache\apache\src\main\http_main.c 5561
child_main d:\apache\apache\src\main\http_main.c 5638
_threadstartex threadex.c 212
Point of Allocation
ap_palloc d:\apache\apache\src\main\alloc.c 901
ap_pcalloc d:\apache\apache\src\main\alloc.c 980
ap_read_request d:\apache\apache\src\main\http_protocol.c 1079
child_sub_main d:\apache\apache\src\main\http_main.c 5561
child_main d:\apache\apache\src\main\http_main.c 5638
_threadstartex threadex.c 212
Point of De-allocation
ap_clear_pool d:\apache\apache\src\main\alloc.c 708
ap_destroy_pool d:\apache\apache\src\main\alloc.c 720
child_sub_main d:\apache\apache\src\main\http_main.c 5572
child_main d:\apache\apache\src\main\http_main.c 5638
_threadstartex threadex.c 212
Here is my module load sequence. Maybe I've just configured the
sucker wrong. It seemed to me that I had to put mod_rewrite
after jserv_module for things to work right.
ClearModuleList
AddModule mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c
AddModule mod_include.c mod_dir.c mod_cgi.c
AddModule mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c
AddModule mod_actions.c mod_setenvif.c
LoadModule ssl_module debug/mod_ssl.dll
LoadModule jserv_module debug/ApacheModuleJServ.dll
LoadModule idleapache_mon_module debug/mod_idleapache_mon.dll
LoadModule rewrite_module debug/mod_rewrite.dll
LoadModule expires_module debug/mod_expires.dll
If you are interested in investigating this problem and want a copy
of my debug tree, let me know. It's about 8Mb zipped not built.
It gets pretty huge when built with full BoundsChecker instrumentation.
To get the dangling pointer information I turned on ALLOC_USE_MALLOC
in alloc.c. This seemed safe but I didn't look very closely.
Thank you for your interest,
Peter H. Smith
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
