fix(filtering): avoid segfault in body filtering

joelwurtz · joelwurtz · commit 8862b27406cb · 2022-12-09T14:51:30.000+01:00
In some cases apache2 drop the request before the body has finish to filter, in those case our context cleanup
would drop the filter while it's used resulting in a segfault.

Also we create the body filter as soon as possible so it will be available even if the request is drop from apache.

Made also some ajustements in case the filtering does not work to correctly free up created buffer, this should result in less memory leaks
(or event not) in case of errors during the filtering.
diff --git a/src/mod_redirectionio.c b/src/mod_redirectionio.c
@@ -252,6 +252,15 @@ static apr_status_t redirectionio_filter_header_filtering(ap_filter_t *f, apr_bu
     redirectionio_protocol_send_filter_headers(ctx, f->r);
     ap_remove_output_filter(f);
 
+    if (ctx->body_filter == NULL) {
+        ctx->body_filter = (struct REDIRECTIONIO_FilterBodyAction *)redirectionio_action_body_filter_create(ctx->action, ctx->backend_response_status_code, ctx->response_headers);
+
+        // Force chunked encoding
+        if (ctx->body_filter != NULL) {
+            apr_table_unset(f->r->headers_out, "Content-Length");
+        }
+    }
+
     return ap_pass_brigade(f->next, bb);
 }
 
@@ -267,21 +276,10 @@ static apr_status_t redirectionio_filter_body_filtering(ap_filter_t *f, apr_buck
         return ap_pass_brigade(f->next, bb);
     }
 
-    if (ctx->action == NULL) {
-        return ap_pass_brigade(f->next, bb);
-    }
-
     if (ctx->body_filter == NULL) {
-        ctx->body_filter = (struct REDIRECTIONIO_FilterBodyAction *)redirectionio_action_body_filter_create(ctx->action, ctx->backend_response_status_code, ctx->response_headers);
+        ap_remove_output_filter(f);
 
-        if (ctx->body_filter == NULL) {
-            ap_remove_output_filter(f);
-
-            return ap_pass_brigade(f->next, bb);
-        }
-
-        // Force chunked encoding
-        apr_table_unset(f->r->headers_out, "Content-Length");
+        return ap_pass_brigade(f->next, bb);
     }
 
     if (APR_BRIGADE_EMPTY(bb)) {
@@ -316,7 +314,10 @@ static apr_status_t redirectionio_filter_body_filtering(ap_filter_t *f, apr_buck
                 b_new = apr_bucket_transient_create((const char *)output.data, output.len, f->r->connection->bucket_alloc);
 
                 if (b_new == NULL) {
+                    redirectionio_action_body_filter_drop(ctx->body_filter);
+                    ctx->body_filter = NULL;
                     ap_remove_output_filter(f);
+                    free(output.data);
 
                     return ap_pass_brigade(f->next, bb);
                 }
@@ -328,13 +329,15 @@ static apr_status_t redirectionio_filter_body_filtering(ap_filter_t *f, apr_buck
 
         if (APR_BUCKET_IS_EOS(b)) {
             output = redirectionio_action_body_filter_close(ctx->body_filter);
+            ctx->body_filter = NULL;
+            ap_remove_output_filter(f);
 
             if (output.len > 0) {
                 // Create a new one
                 b_new = apr_bucket_transient_create((const char *)output.data, output.len, f->r->connection->bucket_alloc);
 
                 if (b_new == NULL) {
-                    ap_remove_output_filter(f);
+                    free(output.data);
 
                     return ap_pass_brigade(f->next, bb);
                 }
@@ -347,16 +350,11 @@ static apr_status_t redirectionio_filter_body_filtering(ap_filter_t *f, apr_buck
             b_new = apr_bucket_eos_create(f->r->connection->bucket_alloc);
 
             if (b_new == NULL) {
-                ap_remove_output_filter(f);
-
                 return ap_pass_brigade(f->next, bb);
             }
 
             APR_BRIGADE_INSERT_TAIL(bb_new, b_new);
 
-            // Remove filter
-            ap_remove_output_filter(f);
-
             // Break
             break;
         }
diff --git a/src/redirectionio_protocol.c b/src/redirectionio_protocol.c
@@ -464,10 +464,5 @@ apr_status_t redirectionio_context_cleanup(void *context) {
         ctx->response_headers = NULL;
     }
 
-    if (ctx->body_filter != NULL) {
-        redirectionio_action_body_filter_drop(ctx->body_filter);
-        ctx->body_filter = NULL;
-    }
-
     return APR_SUCCESS;
 }

Original file line number	Diff line number	Diff line change
`@@ -464,10 +464,5 @@ apr_status_t redirectionio_context_cleanup(void *context) {`
`464`	`464`	`ctx->response_headers = NULL;`
`465`	`465`	`}`
`466`	`466`
`467`		`- if (ctx->body_filter != NULL) {`
`468`		`- redirectionio_action_body_filter_drop(ctx->body_filter);`
`469`		`- ctx->body_filter = NULL;`
`470`		`- }`
`471`		`-`
`472`	`467`	`return APR_SUCCESS;`
`473`	`468`	`}`