diff options
| author | Joe Orton <jorton@apache.org> | 2014-07-14 19:26:00 +0000 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2014-07-14 19:26:00 +0000 |
| commit | b2605d20c42fe882a42f55d059286f64927ac30d (patch) | |
| tree | 65c09cc1dc1875766ff9c4257749972813417ee5 /include/scoreboard.h | |
| parent | 5b6b58bbf228de54e6222d6bd5eef46f0a16f2f9 (diff) | |
| download | httpd-b2605d20c42fe882a42f55d059286f64927ac30d.tar.gz | |
SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,
which could lead to a heap buffer overflow. Thanks to Marek Kroemeke
working with HP's Zero Day Initiative for reporting this.
* include/scoreboard.h: Add ap_copy_scoreboard_worker.
* server/scoreboard.c (ap_copy_scoreboard_worker): New function.
* modules/generators/mod_status.c (status_handler): Use it.
* modules/lua/lua_request.c (lua_ap_scoreboard_worker): Likewise.
Reviewed by: trawick, jorton, covener, jim
Submitted by: jorton, covener
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1610491 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'include/scoreboard.h')
| -rw-r--r-- | include/scoreboard.h | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/include/scoreboard.h b/include/scoreboard.h index d2be9c87a7..c41d7d3f0b 100644 --- a/include/scoreboard.h +++ b/include/scoreboard.h @@ -183,8 +183,25 @@ AP_DECLARE(int) ap_update_child_status_from_conn(ap_sb_handle_t *sbh, int status AP_DECLARE(void) ap_time_process_request(ap_sb_handle_t *sbh, int status); AP_DECLARE(worker_score *) ap_get_scoreboard_worker(ap_sb_handle_t *sbh); + +/** Return a pointer to the worker_score for a given child, thread pair. + * @param child_num The child number. + * @param thread_num The thread number. + * @return A pointer to the worker_score structure. + * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. */ AP_DECLARE(worker_score *) ap_get_scoreboard_worker_from_indexes(int child_num, int thread_num); + +/** Copy the contents of a worker scoreboard entry. The contents of + * the worker_score structure are copied verbatim into the dest + * structure, which must have sizeof(worker_score). + * @param dest Output parameter. + * @param child_num The child number. + * @param thread_num The thread number. + */ +AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, + int child_num, int thread_num); + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x); AP_DECLARE(global_score *) ap_get_scoreboard_global(void); |