You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "William Bardwell (JIRA)" <ji...@apache.org> on 2011/06/07 17:29:58 UTC
[jira] [Created] (TS-827) TSMimeHdrFieldValueStringInsert() can use
freed memory to edit headers
TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
----------------------------------------------------------------------
Key: TS-827
URL: https://issues.apache.org/jira/browse/TS-827
Project: Traffic Server
Issue Type: Bug
Components: MIME
Affects Versions: 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9
Reporter: William Bardwell
Attachments: headers-prealloc.diff
TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
into the HdrHeap.
I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (TS-827) TSMimeHdrFieldValueStringInsert() can
use freed memory to edit headers
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom reassigned TS-827:
--------------------------------
Assignee: Leif Hedstrom
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-827) TSMimeHdrFieldValueStringInsert() can use
freed memory to edit headers
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-827:
-----------------------------
Backport to Version: 3.0.0
Fix Version/s: 3.0.0
3.1.0
marking this for backporting to 3.0.0, since it's potentially a buffer overflow issue for plugins. This code should be cleaned up later, but I think amc is going to look at it later, and for now this is good enough.
Thanks William!
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Fix For: 3.1.0, 3.0.0
>
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (TS-827) TSMimeHdrFieldValueStringInsert() can
use freed memory to edit headers
Posted by "Leif Hedstrom (Reopened) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom reopened TS-827:
------------------------------
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Fix For: 3.1.4, 3.1.0, 3.0.0
>
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (TS-827) TSMimeHdrFieldValueStringInsert() can
use freed memory to edit headers
Posted by "Leif Hedstrom (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom resolved TS-827.
------------------------------
Resolution: Fixed
I think 793f3cfc0ccd01a4dae551af3aa3aa1a5ea77856 is a better solution.
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Fix For: 3.1.4, 3.0.0, 3.1.0
>
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-827) TSMimeHdrFieldValueStringInsert() can use
freed memory to edit headers
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-827:
-----------------------------
Fix Version/s: (was: 3.0.0)
Removing the 3.0.0 fix version, until the votes on the 3.0.0 backport has passed.
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Fix For: 3.1.0
>
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-827) TSMimeHdrFieldValueStringInsert() can use
freed memory to edit headers
Posted by "William Bardwell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
William Bardwell updated TS-827:
--------------------------------
Attachment: headers-prealloc.diff
Hacky patch that fixes this, a full fix requires not moving memory while holding pointers to it (in the result of parse_tok_list)
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-827) TSMimeHdrFieldValueStringInsert() can use
freed memory to edit headers
Posted by "Leif Hedstrom (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-827:
-----------------------------
Fix Version/s: 3.1.4
Reopening this, I think we have a better solution available for this soon.
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Fix For: 3.1.4, 3.1.0, 3.0.0
>
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-827) TSMimeHdrFieldValueStringInsert() can use
freed memory to edit headers
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-827:
-----------------------------
Backport to Version: (was: 3.0.0)
Fix Version/s: 3.0.0
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Fix For: 3.1.0, 3.0.0
>
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-827) TSMimeHdrFieldValueStringInsert() can
use freed memory to edit headers
Posted by "William Bardwell (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13237400#comment-13237400 ]
William Bardwell commented on TS-827:
-------------------------------------
That new fix looks good.
> TSMimeHdrFieldValueStringInsert() can use freed memory to edit headers
> ----------------------------------------------------------------------
>
> Key: TS-827
> URL: https://issues.apache.org/jira/browse/TS-827
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 2.1.9, 2.1.8, 2.1.7, 2.1.6, 2.1.5, 2.1.4
> Reporter: William Bardwell
> Assignee: Leif Hedstrom
> Fix For: 3.1.4, 3.1.0, 3.0.0
>
> Attachments: headers-prealloc.diff
>
>
> TSMimeHdrFieldValueStringInsert() and other TSMimeHdrFieldValue*() APIs can use freed memory to edit headers
> due to calling HdrHeap::coalesce_str_heaps() from HdrHeap::allocate_str() from
> mime_field_value_insert_comma_val() and other mime_field_value_*comma_val() functions while holding pointers
> into the HdrHeap.
> I have a hacky but functional patch for this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira