You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Oknet Xu (JIRA)" <ji...@apache.org> on 2015/07/10 16:54:04 UTC
[jira] [Comment Edited] (TS-3754) IOBuffer memory leak
[ https://issues.apache.org/jira/browse/TS-3754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622401#comment-14622401 ]
Oknet Xu edited comment on TS-3754 at 7/10/15 2:53 PM:
-------------------------------------------------------
suggest fix it immediately due to the reason list at below:
- the IOBufferData alloced from ioDataAllocator and the size is calculate by 128*2^n .
- the write_avail() = _buf_end - _end
- write operation will overwrite the next IOBufferData object in ioDataAllocator and the data in IOBufferData will be corrupted if _buf_end is exceeded.
- the freelist in ProxyAllocator object maybe broken if the memory area belongs to next IOBufferData object is availabed to alloc or dealloc by THREAD_FREE
was (Author: oknet):
suggest fix it immediately due to the reason list at below:
- the IOBufferData alloced from ioDataAllocator and the size is calculate by 128*2^n .
- the write_avail() is _buf_end - _end
- write operation will overwrite the next IOBufferData object in ioDataAllocator and the data in IOBufferData will be corrupted if _buf_end is exceeded.
- the freelist in ProxyAllocator object maybe broken if the memory area belongs to next IOBufferData object is availabed to alloc or dealloc by THREAD_FREE
> IOBuffer memory leak
> --------------------
>
> Key: TS-3754
> URL: https://issues.apache.org/jira/browse/TS-3754
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Oknet Xu
> Priority: Critical
>
> the pointer `_end_buf` exceed the IOBufferData->_data size if offset > 0
> patch at below
> {code}
> diff --git a/iocore/eventsystem/P_IOBuffer.h b/iocore/eventsystem/P_IOBuffer.h
> index 3b8c323..71de17d 100644
> --- a/iocore/eventsystem/P_IOBuffer.h
> +++ b/iocore/eventsystem/P_IOBuffer.h
> @@ -477,7 +477,7 @@ IOBufferBlock::set(IOBufferData *d, int64_t len, int64_t offset)
> data = d;
> _start = buf() + offset;
> _end = _start + len;
> - _buf_end = _start + d->block_size();
> + _buf_end = _buf() + d->block_size();
> }
>
> TS_INLINE void
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)