bclzvs / serf

Automatically exported from code.google.com/p/serf
0 stars 0 forks source link

Serf crashes on out-of-memory in allocator, and doesn't further check for this situation. #63

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Take a system with limited memory
2. Run a task allocating more memory that's available
3. Watch that task crash in serf:
(this crash is from serf 0.6.x with a small change to check for the active 
pointer and abort if it's null).

(gdb) bt
#0  0x00000002105a494a in kill () from /usr/lib/libc.so.54.0
#1  0x00000002105f90c1 in abort () at /usr/src/lib/libc/stdlib/abort.c:68
#2  0x000000020f8296ae in serf_bucket_mem_alloc (allocator=0x209aa3190,
   size=40) at buckets/allocator.c:190
#3  0x000000020f826bda in serf_bucket_create (type=0x20fa2f4a0,
   allocator=0x209aa3190, data=0x229461d38) at buckets/buckets.c:27
#4  0x000000020f8278a2 in serf_bucket_simple_copy_create (
   data=0x229461db8 "PROPFIND /repos/asf/!svn/ver/880911/subversion/trunk/subversion/include/private/svn_cache.h HTTP/1.1\r\n", len=102,
   allocator=0x209aa3190) at buckets/simple_buckets.c:73
#5  0x000000020f82b078 in ssl_encrypt (baton=0x2099a8038, bufsize=8000,
   buf=0x2099a808c "\200d\001\003\001", len=0x7f7ffffcac70)
   at buckets/ssl_buckets.c:578
#6  0x000000020f8272ed in common_databuf_prep (databuf=0x2099a8068,
   len=0x7f7ffffcad58) at buckets/buckets.c:316
#7  0x000000020f827363 in serf_databuf_read (databuf=0x2099a8068,
   requested=18446744073709551615, data=0x7f7ffffcad60, len=0x7f7ffffcad58)
   at buckets/buckets.c:334

What is the expected output? What do you see instead?
We should catch this situation and return a decent error to the application. 
Nowhere where serf allocates memory the resulting pointer is checked.

Original issue reported on code.google.com by lieven.govaerts@gmail.com on 10 Jun 2010 at 1:27

GoogleCodeExporter commented 9 years ago
The crash in the allocator is fixed in r139, serf_bucket_mem_[c]alloc now 
return NULL when no memory could be allocated from the pool.

However, nowhere in serf do we check for pointer nullness. The proposed 
solution is to add a callback function that - if defined by the application - 
is called when no memory can be allocated (// apr_abortfunc_t).

Original comment by lieven.govaerts@gmail.com on 21 Jun 2010 at 12:09