Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

July 31, 2006

Off-By-One

The Apache Foundation recently fixed an off-by-one bug in the mod_rewrite module

--- modules/mappers/mod_rewrite.c.orig  2006/07/11 20:33:53     420983
+++ modules/mappers/mod_rewrite.c       2006/07/27 17:03:34     426138
@@ -670,7 +670,7 @@
             int c = 0;
 
             token[0] = cp = apr_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                 if (*cp == '?') {
                     token[++c] = cp + 1;
                     *cp = '\0';

of the Apache webserver.

A theoretically exploitable flaw? Ho hum, you say.

Well, for the past seven months, or so, here on golem, child httpd processes have been occasionally dying, leaving messages of the form

httpd(29884) malloc: *** Deallocation of a pointer not malloced: 0x1923800; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

in the error_log. By itself, this would not be a big deal except that, occasionally, a process would get “stuck” and continue issuing such messages until it filled the 250 GB disk. Yes, that’s a lot of messages. Running flat-out, it takes several hours to fill a 250 GB disk with 200 byte error messages. If I’m lucky, I catch it in time, stop Apache, trim the error_log, and then restart Apache.

But there’s an uncomfortable sense of being tethered to the machine, when you have to check every few hours to see if it’s gone berserk. Take the afternoon off, and you return to find a full disk, email messages refused, blog comments rejected, …

Without a way to reproduce the bug, nor any useful information from the crash-logs, I was somewhat at a loss to write a good bug report. So you can imagine my elation that fixing the above, relatively trivial, bug in mod_rewrite seems to have fixed the problem.

Update:

Hmmm… It appears that the problem hasn’t entirely gone away. But it take several days from restarting the server for the first such message to appear. Something of an improvement…
Posted by distler at July 31, 2006 11:13 PM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/884



1 Comment & 0 Trackbacks

Re: Off-By-One

I bet if you change it to 3 the problem will get even better ;).

Posted by: Domenic Denicola on August 13, 2006 10:08 AM | Permalink | Reply to this

Post a New Comment