[PATCH - Apache 1.3] Apache 1.3.26 + mod_ssl 2.8.10 dumps core

[PATCH - Apache 1.3] Apache 1.3.26 + mod_ssl 2.8.10 dumps core

am 04.08.2002 19:08:13 von madhusudan_mathihalli

Hi,
I'm not sure whom to approach for this problem - so I'm sending it
to both the mailing lists. Here's a pretty easy way to reproduce the SEGV
that I'm experiencing (on HP-UX 11.0 / 11i)

1. Download OpenSSL 0.9.6e, Apache 1.3.26 and mod_ssl 2.8.10
2. Build and install Apache (ofcourse with mod_ssl capability)
3. Set the Timeout to 20 secs (pl. note it's the hard timeout and not the
keepalive / SSLSessionCacheTimeout)
4. Create a simple HTML file (/opt/apache/htdocs/a.html) as follows :
-----------------------------------------------

side_menu.htm





------------------------------------------------
5. And ofcourse, create /opt/apache/htdocs/10mb.pdf file.
6. Start Apache with SSL capability, and access the URL
https://servername/a.html (Client browser was Win2K box/IE 5.5).
7. Right click on "pdf-test", and select the "Save as" tab. This should
bring up the "Save As" dialog box.
8. Don't do any thing - and you'll see a SEGV in /opt/apache/logs/error_log
after about 20 secs.

Now, is this the expected behavior? I don't believe so. A closer
investigation seemed that mod_SSL had nothing to do with the core dump. It's
the way a aborted connection was handled.

The following patch seemed to resolve the core dump issue for me - but I
don't believe it's the correct fix. Can somebody please evaluate the patch
and let me know if it's okay? Also, I've not evaluated the side-effects of
doing such a thing.
[I don't know what's the difference b/w hard timeout and soft timeout - in
the sense where/how should it be used. It'd be great if somebody could
explain the difference]

Thanks
-Madhu

$ cvs diff http_protocol.c
Index: http_protocol.c
============================================================ =======
RCS file: /home/cvspublic/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.325
diff -u -r1.325 http_protocol.c
--- http_protocol.c 9 Jul 2002 15:26:26 -0000 1.325
+++ http_protocol.c 4 Aug 2002 16:54:45 -0000
@@ -2362,7 +2362,7 @@
if (length == 0)
return 0;

- ap_soft_timeout("send body", r);
+ ap_hard_timeout("send body", r);

while (!r->connection->aborted) {
if ((length > 0) && (total_bytes_sent + IOBUFSIZE) > length)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: [PATCH - Apache 1.3] Apache 1.3.26 + mod_ssl 2.8.10 dumps cor

am 05.08.2002 07:15:21 von madhusudan_mathihalli

I do realize that the Apache community does not support such a usage of
Apache (with mod_ssl) - but I was wondering if somebody could atleast tell
me if the patch was okay / not okay.

Thanks
-Madhu

-----Original Message-----
From: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
To: 'dev@httpd.apache.org'
Cc: 'modssl-users@modssl.org'
Sent: 8/4/02 10:08 AM
Subject: [PATCH - Apache 1.3] Apache 1.3.26 + mod_ssl 2.8.10 dumps core

Hi,
I'm not sure whom to approach for this problem - so I'm sending
it
to both the mailing lists. Here's a pretty easy way to reproduce the
SEGV
that I'm experiencing (on HP-UX 11.0 / 11i)

1. Download OpenSSL 0.9.6e, Apache 1.3.26 and mod_ssl 2.8.10
2. Build and install Apache (ofcourse with mod_ssl capability)
3. Set the Timeout to 20 secs (pl. note it's the hard timeout and not
the
keepalive / SSLSessionCacheTimeout)
4. Create a simple HTML file (/opt/apache/htdocs/a.html) as follows :
-----------------------------------------------

side_menu.htm





------------------------------------------------
5. And ofcourse, create /opt/apache/htdocs/10mb.pdf file.
6. Start Apache with SSL capability, and access the URL
https://servername/a.html (Client browser was Win2K box/IE 5.5).
7. Right click on "pdf-test", and select the "Save as" tab. This should
bring up the "Save As" dialog box.
8. Don't do any thing - and you'll see a SEGV in
/opt/apache/logs/error_log
after about 20 secs.

Now, is this the expected behavior? I don't believe so. A closer
investigation seemed that mod_SSL had nothing to do with the core dump.
It's
the way a aborted connection was handled.

The following patch seemed to resolve the core dump issue for me - but I
don't believe it's the correct fix. Can somebody please evaluate the
patch
and let me know if it's okay? Also, I've not evaluated the side-effects
of
doing such a thing.
[I don't know what's the difference b/w hard timeout and soft timeout -
in
the sense where/how should it be used. It'd be great if somebody could
explain the difference]

Thanks
-Madhu

$ cvs diff http_protocol.c
Index: http_protocol.c
============================================================ =======
RCS file: /home/cvspublic/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.325
diff -u -r1.325 http_protocol.c
--- http_protocol.c 9 Jul 2002 15:26:26 -0000 1.325
+++ http_protocol.c 4 Aug 2002 16:54:45 -0000
@@ -2362,7 +2362,7 @@
if (length == 0)
return 0;

- ap_soft_timeout("send body", r);
+ ap_hard_timeout("send body", r);

while (!r->connection->aborted) {
if ((length > 0) && (total_bytes_sent + IOBUFSIZE) > length)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org