File apache2-CVE-2018-1302.patch of Package apache2.18661

--- a/modules/http2/h2_stream.c	(revision 1822623)
+++ b/modules/http2/h2_stream.c	(revision 1822624)
@@ -578,19 +578,9 @@
     ap_assert(stream);
     ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, stream->session->c, 
                   H2_STRM_MSG(stream, "destroy"));
-    if (stream->pool) {
-        apr_pool_destroy(stream->pool);
-        stream->pool = NULL;
-    }
+    apr_pool_destroy(stream->pool);
 }
 
-apr_pool_t *h2_stream_detach_pool(h2_stream *stream)
-{
-    apr_pool_t *pool = stream->pool;
-    stream->pool = NULL;
-    return pool;
-}
-
 apr_status_t h2_stream_prep_processing(h2_stream *stream)
 {
     if (stream->request) {
--- a/odules/http2/h2_stream.h	(revision 1822623)
+++ b/modules/http2/h2_stream.h	(revision 1822624)
@@ -158,15 +158,6 @@
 void h2_stream_cleanup(h2_stream *stream);
 
 /**
- * Detach the memory pool from the stream. Will prevent stream
- * destruction to take the pool with it.
- *
- * @param stream the stream to detach the pool from
- * @result the detached memory pool or NULL if stream no longer has one
- */
-apr_pool_t *h2_stream_detach_pool(h2_stream *stream);
-
-/**
  * Notify the stream that amount bytes have been consumed of its input
  * since the last invocation of this method (delta amount).
  */
--- a/modules/http2/h2_bucket_beam.c	(revision 1822623)
+++ b/modules/http2/h2_bucket_beam.c	(revision 1822624)
@@ -556,9 +556,8 @@
     }
 }
 
-static apr_status_t beam_cleanup(void *data)
+static apr_status_t beam_cleanup(h2_bucket_beam *beam, int from_pool)
 {
-    h2_bucket_beam *beam = data;
     apr_status_t status = APR_SUCCESS;
     int safe_send = (beam->owner == H2_BEAM_OWNER_SEND);
     int safe_recv = (beam->owner == H2_BEAM_OWNER_RECV);
@@ -571,6 +570,11 @@
      * Clean up receiver first, if safe, then cleanup sender, if safe.
      */
      
+     /* When called from pool destroy, io callbacks are disabled */
+     if (from_pool) {
+         beam->cons_io_cb = NULL;
+     }
+     
     /* When modify send is not safe, this means we still have multi-thread
      * protection and the owner is receiving the buckets. If the sending
      * side has not gone away, this means we could have dangling buckets
@@ -606,10 +610,15 @@
     return status;
 }
 
+static apr_status_t beam_pool_cleanup(void *data)
+{
+    return beam_cleanup(data, 1);
+}
+
 apr_status_t h2_beam_destroy(h2_bucket_beam *beam)
 {
-    apr_pool_cleanup_kill(beam->pool, beam, beam_cleanup);
-    return beam_cleanup(beam);
+    apr_pool_cleanup_kill(beam->pool, beam, beam_pool_cleanup);
+    return beam_cleanup(beam, 0);
 }
 
 apr_status_t h2_beam_create(h2_bucket_beam **pbeam, apr_pool_t *pool, 
@@ -642,7 +651,7 @@
     if (APR_SUCCESS == rv) {
         rv = apr_thread_cond_create(&beam->change, pool);
         if (APR_SUCCESS == rv) {
-            apr_pool_pre_cleanup_register(pool, beam, beam_cleanup);
+            apr_pool_pre_cleanup_register(pool, beam, beam_pool_cleanup);
             *pbeam = beam;
         }
     }

openSUSE Build Service is sponsored by