From 8fe3cc79d1bcb4a20a0c56853d82e85c8a88b8f5 Mon Sep 17 00:00:00 2001
From: Graham Leggett <minfrin@apache.org>
Date: Mon, 20 Nov 2023 13:17:25 +0000
Subject: [PATCH] Backport to v2.4:

   *) core: Fix use after free warning with gcc -fanalyzer.
      trunk patch: http://svn.apache.org/r1892413
      2.4.x patch: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-use-after-free.patch
      +1: minfrin, ylavic, jorton



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913983 13f79535-47bb-0310-9956-ffa450edef68

Conflict:The changelog contains context adaptation and does not contain the STATUS file
Reference:https://github.com/apache/httpd/commit/8fe3cc79d1bcb4a20a0c56853d82e85c8a88b8f5

---
 CHANGES           |  2 ++
 server/mpm_unix.c | 16 ++++++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 518b39a..c495da0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.59
 
+  *) core: Fix use after free warning with gcc -fanalyzer. [Joe Orton]
+
   *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
 
 Changes with Apache 2.4.58
diff --git a/server/mpm_unix.c b/server/mpm_unix.c
index 8c4d233..ed4555a 100644
--- a/server/mpm_unix.c
+++ b/server/mpm_unix.c
@@ -259,10 +259,12 @@ AP_DECLARE(void) ap_reclaim_child_processes(int terminate,
         while (cur_extra) {
             ap_generation_t old_gen;
             extra_process_t *next = cur_extra->next;
+            pid_t pid = cur_extra->pid;
 
-            if (reclaim_one_pid(cur_extra->pid, action_table[cur_action].action)) {
-                if (ap_unregister_extra_mpm_process(cur_extra->pid, &old_gen) == 1) {
-                    mpm_callback(-1, cur_extra->pid, old_gen);
+            if (reclaim_one_pid(pid, action_table[cur_action].action)) {
+                if (ap_unregister_extra_mpm_process(pid, &old_gen) == 1) {
+                    /* cur_extra dangling pointer from here. */
+                    mpm_callback(-1, pid, old_gen);
                 }
                 else {
                     AP_DEBUG_ASSERT(1 == 0);
@@ -307,10 +309,12 @@ AP_DECLARE(void) ap_relieve_child_processes(ap_reclaim_callback_fn_t *mpm_callba
     while (cur_extra) {
         ap_generation_t old_gen;
         extra_process_t *next = cur_extra->next;
+        pid_t pid = cur_extra->pid;
 
-        if (reclaim_one_pid(cur_extra->pid, DO_NOTHING)) {
-            if (ap_unregister_extra_mpm_process(cur_extra->pid, &old_gen) == 1) {
-                mpm_callback(-1, cur_extra->pid, old_gen);
+        if (reclaim_one_pid(pid, DO_NOTHING)) {
+            if (ap_unregister_extra_mpm_process(pid, &old_gen) == 1) {
+                /* cur_extra dangling pointer from here. */
+                mpm_callback(-1, pid, old_gen);
             }
             else {
                 AP_DEBUG_ASSERT(1 == 0);
-- 
2.33.0