## July 31, 2006

### Off-By-One

The Apache Foundation recently fixed an off-by-one bug in the mod_rewrite module

--- modules/mappers/mod_rewrite.c.orig  2006/07/11 20:33:53     420983
+++ modules/mappers/mod_rewrite.c       2006/07/27 17:03:34     426138
@@ -670,7 +670,7 @@
int c = 0;

token[0] = cp = apr_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
if (*cp == '?') {
token[++c] = cp + 1;
*cp = '\0';

of the Apache webserver.

A theoretically exploitable flaw? Ho hum, you say.

Well, for the past seven months, or so, here on golem, child httpd processes have been occasionally dying, leaving messages of the form

httpd(29884) malloc: *** Deallocation of a pointer not malloced: 0x1923800; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

in the error_log. By itself, this would not be a big deal except that, occasionally, a process would get “stuck” and continue issuing such messages until it filled the 250 GB disk. Yes, that’s a lot of messages. Running flat-out, it takes several hours to fill a 250 GB disk with 200 byte error messages. If I’m lucky, I catch it in time, stop Apache, trim the error_log, and then restart Apache.

But there’s an uncomfortable sense of being tethered to the machine, when you have to check every few hours to see if it’s gone berserk. Take the afternoon off, and you return to find a full disk, email messages refused, blog comments rejected, …

Without a way to reproduce the bug, nor any useful information from the crash-logs, I was somewhat at a loss to write a good bug report. So you can imagine my elation that fixing the above, relatively trivial, bug in mod_rewrite seems to have fixed the problem.

#### Update:

Hmmm… It appears that the problem hasn’t entirely gone away. But it take several days from restarting the server for the first such message to appear. Something of an improvement…
Posted by distler at July 31, 2006 11:13 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/884

## 1 Comment & 0 Trackbacks

### Re: Off-By-One

I bet if you change it to 3 the problem will get even better ;).

Posted by: Domenic Denicola on August 13, 2006 10:08 AM | Permalink | Reply to this

Post a New Comment