You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Oknet Xu (JIRA)" <ji...@apache.org> on 2015/07/10 16:54:04 UTC

[jira] [Comment Edited] (TS-3754) IOBuffer memory leak

    [ https://issues.apache.org/jira/browse/TS-3754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622401#comment-14622401 ] 

Oknet Xu edited comment on TS-3754 at 7/10/15 2:53 PM:
-------------------------------------------------------

suggest fix it immediately due to the reason list at below:
- the IOBufferData alloced from ioDataAllocator and the size is calculate by 128*2^n .
- the write_avail()  = _buf_end - _end
- write operation will overwrite the next IOBufferData object in ioDataAllocator and the data in IOBufferData will be corrupted if _buf_end is exceeded.
- the freelist in ProxyAllocator object maybe broken if the memory area belongs to next IOBufferData object is availabed to alloc or dealloc by THREAD_FREE




was (Author: oknet):
suggest fix it immediately due to the reason list at below:
- the IOBufferData alloced from ioDataAllocator and the size is calculate by 128*2^n .
- the write_avail()  is _buf_end - _end
- write operation will overwrite the next IOBufferData object in ioDataAllocator and the data in IOBufferData will be corrupted if _buf_end is exceeded.
- the freelist in ProxyAllocator object maybe broken if the memory area belongs to next IOBufferData object is availabed to alloc or dealloc by THREAD_FREE



> IOBuffer memory leak
> --------------------
>
>                 Key: TS-3754
>                 URL: https://issues.apache.org/jira/browse/TS-3754
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core
>            Reporter: Oknet Xu
>            Priority: Critical
>
> the pointer `_end_buf` exceed the IOBufferData->_data size if offset > 0
> patch at below
> {code}
> diff --git a/iocore/eventsystem/P_IOBuffer.h b/iocore/eventsystem/P_IOBuffer.h
> index 3b8c323..71de17d 100644
> --- a/iocore/eventsystem/P_IOBuffer.h
> +++ b/iocore/eventsystem/P_IOBuffer.h
> @@ -477,7 +477,7 @@ IOBufferBlock::set(IOBufferData *d, int64_t len, int64_t offset)
>    data = d;
>    _start = buf() + offset;
>    _end = _start + len;
> -  _buf_end = _start + d->block_size();
> +  _buf_end = _buf() + d->block_size();
>  }
>  
>  TS_INLINE void
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)