You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Igor Galić (JIRA)" <ji...@apache.org> on 2013/05/26 22:01:20 UTC

[jira] [Created] (TS-1923) 3.2.x - Fix resolve_logfield_string()

Igor Galić created TS-1923:
------------------------------

             Summary: 3.2.x - Fix resolve_logfield_string()
                 Key: TS-1923
                 URL: https://issues.apache.org/jira/browse/TS-1923
             Project: Traffic Server
          Issue Type: Bug
          Components: Core
            Reporter: Yunkai Zhang
            Assignee: Yunkai Zhang
             Fix For: 3.3.3
         Attachments: 0001-Fix-resolve_logfield_string.patch

When ATS receives a malicious request which URL is too long to hold by
internal_msg_buffer, the internal_msg_buffer_size might be set to 0.

As a result, the appended memory which allocated by ats_malloc() would
be mistaken for the memory from ink_freelist, and would be free to
ink_freelist finally.

As this memory is larger than the one in ink_freelist, and all memory in
the origin ink_freelist would not be reclaimed, so it wouldn't cause
segment-fault, that is why we didn't notice it in the past.

But after we use reclaimabe-freelist, this bug would cause segment-fault
when use it to get inner meta-data or free it back to OS by unmmap().

===
Now, we found the root cause which would lead to internal_msg_buffer_size to 0
while internal_msg_buffer is NOT NULL.

That is resolve_logfiled_string() function. Let's fix it.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira