You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2015/11/20 01:41:11 UTC
[jira] [Updated] (TS-3962) CID 1325824: (USE_AFTER_FREE) in
malloc_bulkfree()
[ https://issues.apache.org/jira/browse/TS-3962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Call updated TS-3962:
---------------------------
Fix Version/s: (was: 6.1.0)
6.0.1
> CID 1325824: (USE_AFTER_FREE) in malloc_bulkfree()
> -----------------------------------------------------
>
> Key: TS-3962
> URL: https://issues.apache.org/jira/browse/TS-3962
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Leif Hedstrom
> Assignee: Phil Sorber
> Fix For: 6.0.1
>
>
> {code}
> ** CID 1325824: (USE_AFTER_FREE)
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> ________________________________________________________________________________________________________
> *** CID 1325824: (USE_AFTER_FREE)
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 384 void *item = head;
> 385
> 386 // Avoid compiler warnings
> 387 (void)tail;
> 388
> 389 if (f->alignment) {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 388
> 389 if (f->alignment) {
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> 396 }
> 397 }
> 398 }
> 399
> /lib/ts/ink_queue.cc: 394 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 388
> 389 if (f->alignment) {
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> 396 }
> 397 }
> 398 }
> 399
> /lib/ts/ink_queue.cc: 390 in malloc_bulkfree(_InkFreeList *, void *, void *, unsigned long)()
> 384 void *item = head;
> 385
> 386 // Avoid compiler warnings
> 387 (void)tail;
> 388
> 389 if (f->alignment) {
> CID 1325824: (USE_AFTER_FREE)
> Using freed pointer "item".
> 390 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 391 ats_memalign_free(item);
> 392 }
> 393 } else {
> 394 for (size_t i = 0; i < num_item && item; ++i, item = *(void **)item) {
> 395 ats_free(item);
> {code}
> Seems we ought to not use the item in the iterator after we've already free'd it :).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)