[jira] [Updated] (TS-1913) Fix resolve_logfield_string()

["Yunkai Zhang (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/TS-1913?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Yunkai Zhang updated TS-1913:
-----------------------------

    Summary: Fix resolve_logfield_string()  (was: Fix MIOBuffer::append_xmalloced())
    
> Fix resolve_logfield_string()
> -----------------------------
>
>                 Key: TS-1913
>                 URL: https://issues.apache.org/jira/browse/TS-1913
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core
>            Reporter: Yunkai Zhang
>         Attachments: 0002-Fix-MIOBuffer-append_xmalloced.patch
>
>
> When ATS receives a malicious request which URL is too long to hold by
> internal_msg_buffer, the internal_msg_buffer_size might be set to 0.
> As a result, the appended memory which allocated by ats_malloc() would
> be mistaken for the memory from ink_freelist, and would be free to
> ink_freelist finally.
> As this memory is larger than the one in ink_freelist, and all memory in
> the origin ink_freelist would not be reclaimed, so it wouldn't cause
> segment-fault, that is why we didn't notice it in the past.
> But after we use reclaimabe-freelist, this bug would cause segment-fault
> when use it to get inner meta-data or free it back to OS by unmmap().

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira