Blame SOURCES/httpd-2.4.6-CVE-2016-2161.patch

008793
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
008793
index 44b5fc8..6a50ba7 100644
008793
--- a/modules/aaa/mod_auth_digest.c
008793
+++ b/modules/aaa/mod_auth_digest.c
008793
@@ -261,6 +261,26 @@ static void log_error_and_cleanup(char *msg, apr_status_t sts, server_rec *s)
008793
     cleanup_tables(NULL);
008793
 }
008793
 
008793
+/* RMM helper functions that behave like single-step malloc/free. */
008793
+
008793
+static void *rmm_malloc(apr_rmm_t *rmm, apr_size_t size)
008793
+{
008793
+    apr_rmm_off_t offset = apr_rmm_malloc(rmm, size);
008793
+
008793
+    if (!offset) {
008793
+        return NULL;
008793
+    }
008793
+
008793
+    return apr_rmm_addr_get(rmm, offset);
008793
+}
008793
+
008793
+static apr_status_t rmm_free(apr_rmm_t *rmm, void *alloc)
008793
+{
008793
+    apr_rmm_off_t offset = apr_rmm_offset_get(rmm, alloc);
008793
+
008793
+    return apr_rmm_free(rmm, offset);
008793
+}
008793
+
008793
 #if APR_HAS_SHARED_MEMORY
008793
 
008793
 static int initialize_tables(server_rec *s, apr_pool_t *ctx)
008793
@@ -299,8 +319,8 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx)
008793
         return !OK;
008793
     }
008793
 
008793
-    client_list = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*client_list) +
008793
-                                                          sizeof(client_entry*)*num_buckets));
008793
+    client_list = rmm_malloc(client_rmm, sizeof(*client_list) +
008793
+                                         sizeof(client_entry *) * num_buckets);
008793
     if (!client_list) {
008793
         log_error_and_cleanup("failed to allocate shared memory", -1, s);
008793
         return !OK;
008793
@@ -322,7 +342,7 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx)
008793
 
008793
     /* setup opaque */
008793
 
008793
-    opaque_cntr = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*opaque_cntr)));
008793
+    opaque_cntr = rmm_malloc(client_rmm, sizeof(*opaque_cntr));
008793
     if (opaque_cntr == NULL) {
008793
         log_error_and_cleanup("failed to allocate shared memory", -1, s);
008793
         return !OK;
008793
@@ -339,7 +359,7 @@ static int initialize_tables(server_rec *s, apr_pool_t *ctx)
008793
 
008793
     /* setup one-time-nonce counter */
008793
 
008793
-    otn_counter = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(*otn_counter)));
008793
+    otn_counter = rmm_malloc(client_rmm, sizeof(*otn_counter));
008793
     if (otn_counter == NULL) {
008793
         log_error_and_cleanup("failed to allocate shared memory", -1, s);
008793
         return !OK;
008793
@@ -779,7 +799,7 @@ static client_entry *get_client(unsigned long key, const request_rec *r)
008793
  * last entry in each bucket and updates the counters. Returns the
008793
  * number of removed entries.
008793
  */
008793
-static long gc(void)
008793
+static long gc(server_rec *s)
008793
 {
008793
     client_entry *entry, *prev;
008793
     unsigned long num_removed = 0, idx;
008793
@@ -789,6 +809,12 @@ static long gc(void)
008793
     for (idx = 0; idx < client_list->tbl_len; idx++) {
008793
         entry = client_list->table[idx];
008793
         prev  = NULL;
008793
+
008793
+        if (!entry) {
008793
+            /* This bucket is empty. */
008793
+            continue;
008793
+        }
008793
+
008793
         while (entry->next) {   /* find last entry */
008793
             prev  = entry;
008793
             entry = entry->next;
008793
@@ -800,8 +826,16 @@ static long gc(void)
008793
             client_list->table[idx] = NULL;
008793
         }
008793
         if (entry) {                    /* remove entry */
008793
-            apr_rmm_free(client_rmm, apr_rmm_offset_get(client_rmm, entry));
008793
+            apr_status_t err;
008793
+
008793
+            err = rmm_free(client_rmm, entry);
008793
             num_removed++;
008793
+
008793
+            if (err) {
008793
+                /* Nothing we can really do but log... */
008793
+                ap_log_error(APLOG_MARK, APLOG_ERR, err, s, APLOGNO()
008793
+                             "Failed to free auth_digest client allocation");
008793
+            }
008793
         }
008793
     }
008793
 
008793
@@ -835,16 +869,16 @@ static client_entry *add_client(unsigned long key, client_entry *info,
008793
 
008793
     /* try to allocate a new entry */
008793
 
008793
-    entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry)));
008793
+    entry = rmm_malloc(client_rmm, sizeof(client_entry));
008793
     if (!entry) {
008793
-        long num_removed = gc();
008793
+        long num_removed = gc(s);
008793
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01766)
008793
                      "gc'd %ld client entries. Total new clients: "
008793
                      "%ld; Total removed clients: %ld; Total renewed clients: "
008793
                      "%ld", num_removed,
008793
                      client_list->num_created - client_list->num_renewed,
008793
                      client_list->num_removed, client_list->num_renewed);
008793
-        entry = apr_rmm_addr_get(client_rmm, apr_rmm_malloc(client_rmm, sizeof(client_entry)));
008793
+        entry = rmm_malloc(client_rmm, sizeof(client_entry));
008793
         if (!entry) {
008793
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01767)
008793
                          "unable to allocate new auth_digest client");
008793