File apache2-CVE-2018-1302.patch of Package apache2.18661
--- a/modules/http2/h2_stream.c (revision 1822623)
+++ b/modules/http2/h2_stream.c (revision 1822624)
@@ -578,19 +578,9 @@
ap_assert(stream);
ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, stream->session->c,
H2_STRM_MSG(stream, "destroy"));
- if (stream->pool) {
- apr_pool_destroy(stream->pool);
- stream->pool = NULL;
- }
+ apr_pool_destroy(stream->pool);
}
-apr_pool_t *h2_stream_detach_pool(h2_stream *stream)
-{
- apr_pool_t *pool = stream->pool;
- stream->pool = NULL;
- return pool;
-}
-
apr_status_t h2_stream_prep_processing(h2_stream *stream)
{
if (stream->request) {
--- a/odules/http2/h2_stream.h (revision 1822623)
+++ b/modules/http2/h2_stream.h (revision 1822624)
@@ -158,15 +158,6 @@
void h2_stream_cleanup(h2_stream *stream);
/**
- * Detach the memory pool from the stream. Will prevent stream
- * destruction to take the pool with it.
- *
- * @param stream the stream to detach the pool from
- * @result the detached memory pool or NULL if stream no longer has one
- */
-apr_pool_t *h2_stream_detach_pool(h2_stream *stream);
-
-/**
* Notify the stream that amount bytes have been consumed of its input
* since the last invocation of this method (delta amount).
*/
--- a/modules/http2/h2_bucket_beam.c (revision 1822623)
+++ b/modules/http2/h2_bucket_beam.c (revision 1822624)
@@ -556,9 +556,8 @@
}
}
-static apr_status_t beam_cleanup(void *data)
+static apr_status_t beam_cleanup(h2_bucket_beam *beam, int from_pool)
{
- h2_bucket_beam *beam = data;
apr_status_t status = APR_SUCCESS;
int safe_send = (beam->owner == H2_BEAM_OWNER_SEND);
int safe_recv = (beam->owner == H2_BEAM_OWNER_RECV);
@@ -571,6 +570,11 @@
* Clean up receiver first, if safe, then cleanup sender, if safe.
*/
+ /* When called from pool destroy, io callbacks are disabled */
+ if (from_pool) {
+ beam->cons_io_cb = NULL;
+ }
+
/* When modify send is not safe, this means we still have multi-thread
* protection and the owner is receiving the buckets. If the sending
* side has not gone away, this means we could have dangling buckets
@@ -606,10 +610,15 @@
return status;
}
+static apr_status_t beam_pool_cleanup(void *data)
+{
+ return beam_cleanup(data, 1);
+}
+
apr_status_t h2_beam_destroy(h2_bucket_beam *beam)
{
- apr_pool_cleanup_kill(beam->pool, beam, beam_cleanup);
- return beam_cleanup(beam);
+ apr_pool_cleanup_kill(beam->pool, beam, beam_pool_cleanup);
+ return beam_cleanup(beam, 0);
}
apr_status_t h2_beam_create(h2_bucket_beam **pbeam, apr_pool_t *pool,
@@ -642,7 +651,7 @@
if (APR_SUCCESS == rv) {
rv = apr_thread_cond_create(&beam->change, pool);
if (APR_SUCCESS == rv) {
- apr_pool_pre_cleanup_register(pool, beam, beam_cleanup);
+ apr_pool_pre_cleanup_register(pool, beam, beam_pool_cleanup);
*pbeam = beam;
}
}