|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2008-10-21 02:58 UTC] mike@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Wed Apr 24 04:01:30 2024 UTC |
Description: ------------ In http_request_api.c, _http_request_dtor inserts our HTTP request handle back into the persistent handle pool (via http_persistent_handle_release in http_curl_free) before we are finished working with the request. This can lead to multiple threads working with the same request at the same time, and can eventually cause corruption of curl data structures. The fix for this issue is simple: We should wait until we are finished with the request before we re-insert it into the persistent handle pool. A patch which implements this against current CVS is included below. Patch: --- http_request_api.c 2008-08-15 04:41:38.000000000 -0700 +++ http_request_api.c.fixed 2008-10-18 13:35:35.000000000 -0700 @@ -316,8 +316,8 @@ PHP_HTTP_API void _http_request_dtor(htt { TSRMLS_FETCH_FROM_CTX(request->tsrm_ls); - http_curl_free(&request->ch); http_request_reset(request); + http_curl_free(&request->ch); phpstr_dtor(&request->_cache.cookies); zend_hash_destroy(&request->_cache.options); Reproduce code: --------------- Here is an example case where memory is corrupted: Thread #1 releases request into persistent handle pool (via http_persistent_handle_release in _http_curl_free). Thread #2 grabs the request from the persistent handle pool, and sets up a new cookie store and url inside the request's request storage field. Thread #1 frees the memory allocated by Thread #2 (via http_request_reset) Thread #2 attempts to store cookies inside the previously allocated storage. Because this memory has been freed by Thread #1, this change may corrupt memory used by other threads.