|
|
4056b0 |
------------------------------------------------------------
|
|
|
4056b0 |
revno: 13238
|
|
|
4056b0 |
revision-id: squid3@treenet.co.nz-20160506094614-zyjq1i8ym2gcvwbu
|
|
|
4056b0 |
parent: squid3@treenet.co.nz-20160506091244-3td2be9qbzsajxg8
|
|
|
4056b0 |
committer: Amos Jeffries <squid3@treenet.co.nz>
|
|
|
4056b0 |
branch nick: 3.4
|
|
|
4056b0 |
timestamp: Fri 2016-05-06 21:46:14 +1200
|
|
|
4056b0 |
message:
|
|
|
4056b0 |
Fix SIGSEGV in ESIContext response handling
|
|
|
4056b0 |
|
|
|
4056b0 |
HttpReply pointer was being unlocked without heving been locked.
|
|
|
4056b0 |
Resulting in a double-free. Make it use RefCount instead of
|
|
|
4056b0 |
manual locking to ensure locked/unlock is always symmetrical.
|
|
|
4056b0 |
------------------------------------------------------------
|
|
|
4056b0 |
# Bazaar merge directive format 2 (Bazaar 0.90)
|
|
|
4056b0 |
# revision_id: squid3@treenet.co.nz-20160506094614-zyjq1i8ym2gcvwbu
|
|
|
4056b0 |
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
|
|
|
4056b0 |
# testament_sha1: 4ff01cd3aaffb8c9b20b8595d2ee0ccfcf434b3f
|
|
|
4056b0 |
# timestamp: 2016-05-06 09:48:45 +0000
|
|
|
4056b0 |
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
|
|
|
4056b0 |
# base_revision_id: squid3@treenet.co.nz-20160506091244-\
|
|
|
4056b0 |
# 3td2be9qbzsajxg8
|
|
|
4056b0 |
#
|
|
|
4056b0 |
# Begin patch
|
|
|
4056b0 |
=== modified file 'src/esi/Esi.cc'
|
|
|
4056b0 |
--- src/esi/Esi.cc 2016-04-20 11:15:14 +0000
|
|
|
4056b0 |
+++ src/esi/Esi.cc 2016-05-06 09:46:14 +0000
|
|
|
4056b0 |
@@ -598,7 +598,7 @@
|
|
|
4056b0 |
|
|
|
4056b0 |
#endif
|
|
|
4056b0 |
|
|
|
4056b0 |
- if (!(rep || (outbound.getRaw() &&
|
|
|
4056b0 |
+ if (!(rep != NULL || (outbound.getRaw() &&
|
|
|
4056b0 |
outbound->len && (outbound_offset <= outbound->len)))) {
|
|
|
4056b0 |
debugs(86, 5, "ESIContext::send: Nothing to send.");
|
|
|
4056b0 |
return 0;
|
|
|
4056b0 |
@@ -643,18 +643,18 @@
|
|
|
4056b0 |
flags.clientwantsdata = 0;
|
|
|
4056b0 |
debugs(86, 5, "ESIContext::send: this=" << this << " Client no longer wants data ");
|
|
|
4056b0 |
/* Deal with re-entrancy */
|
|
|
4056b0 |
- HttpReply *temprep = rep;
|
|
|
4056b0 |
+ HttpReply::Pointer temprep = rep;
|
|
|
4056b0 |
rep = NULL; /* freed downstream */
|
|
|
4056b0 |
|
|
|
4056b0 |
- if (temprep && varState)
|
|
|
4056b0 |
- varState->buildVary (temprep);
|
|
|
4056b0 |
+ if (temprep != NULL && varState)
|
|
|
4056b0 |
+ varState->buildVary(temprep.raw());
|
|
|
4056b0 |
|
|
|
4056b0 |
{
|
|
|
4056b0 |
StoreIOBuffer tempBuffer;
|
|
|
4056b0 |
tempBuffer.length = len;
|
|
|
4056b0 |
tempBuffer.offset = pos - len;
|
|
|
4056b0 |
tempBuffer.data = next->readBuffer.data;
|
|
|
4056b0 |
- clientStreamCallback (thisNode, http, temprep, tempBuffer);
|
|
|
4056b0 |
+ clientStreamCallback (thisNode, http, temprep.raw(), tempBuffer);
|
|
|
4056b0 |
}
|
|
|
4056b0 |
|
|
|
4056b0 |
if (len == 0)
|
|
|
4056b0 |
@@ -1284,7 +1284,7 @@
|
|
|
4056b0 |
++parserState.stackdepth;
|
|
|
4056b0 |
}
|
|
|
4056b0 |
|
|
|
4056b0 |
- if (rep && !parserState.inited())
|
|
|
4056b0 |
+ if (rep != NULL && !parserState.inited())
|
|
|
4056b0 |
parserState.init(this);
|
|
|
4056b0 |
|
|
|
4056b0 |
/* we have data */
|
|
|
4056b0 |
@@ -1423,7 +1423,7 @@
|
|
|
4056b0 |
{
|
|
|
4056b0 |
debugs(86, 5, HERE << "Freeing for this=" << this);
|
|
|
4056b0 |
|
|
|
4056b0 |
- HTTPMSGUNLOCK(rep);
|
|
|
4056b0 |
+ rep = NULL; // refcounted
|
|
|
4056b0 |
|
|
|
4056b0 |
finishChildren ();
|
|
|
4056b0 |
|
|
|
4056b0 |
|
|
|
4056b0 |
diff --git src/esi/Context.h src/esi/Context.h
|
|
|
4056b0 |
index baae3fd..dcdcf05 100644
|
|
|
4056b0 |
--- src/esi/Context.h
|
|
|
4056b0 |
+++ src/esi/Context.h
|
|
|
4056b0 |
@@ -36,6 +36,7 @@
|
|
|
4056b0 |
#include "esi/Element.h"
|
|
|
4056b0 |
#include "clientStream.h"
|
|
|
4056b0 |
#include "err_type.h"
|
|
|
4056b0 |
+#include "HttpReply.h"
|
|
|
4056b0 |
#include "HttpStatusCode.h"
|
|
|
4056b0 |
|
|
|
4056b0 |
class ESIVarState;
|
|
|
4056b0 |
@@ -116,7 +117,7 @@ public:
|
|
|
4056b0 |
err_type errorpage; /* if we error what page to use */
|
|
|
4056b0 |
http_status errorstatus; /* if we error, what code to return */
|
|
|
4056b0 |
char *errormessage; /* error to pass to error page */
|
|
|
4056b0 |
- HttpReply *rep; /* buffered until we pass data downstream */
|
|
|
4056b0 |
+ HttpReply::Pointer rep; /* buffered until we pass data downstream */
|
|
|
4056b0 |
ESISegment::Pointer buffered; /* unprocessed data - for whatever reason */
|
|
|
4056b0 |
ESISegment::Pointer incoming;
|
|
|
4056b0 |
/* processed data we are waiting to send, or for
|