You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by su...@apache.org on 2015/01/09 22:25:59 UTC
trafficserver git commit: [TS-3285]: Fix premature freeing of
MIOBuffer to prevent freelist corruption
Repository: trafficserver
Updated Branches:
refs/heads/master 8ea8aec05 -> 1e4d897d9
[TS-3285]: Fix premature freeing of MIOBuffer to prevent freelist corruption
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/1e4d897d
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/1e4d897d
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/1e4d897d
Branch: refs/heads/master
Commit: 1e4d897d913e85d1fda6bf376621b5c98c69d2d0
Parents: 8ea8aec
Author: Sudheer Vinukonda <su...@yahoo-inc.com>
Authored: Fri Jan 9 21:23:35 2015 +0000
Committer: Sudheer Vinukonda <su...@yahoo-inc.com>
Committed: Fri Jan 9 21:23:35 2015 +0000
----------------------------------------------------------------------
proxy/http/HttpSM.cc | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/1e4d897d/proxy/http/HttpSM.cc
----------------------------------------------------------------------
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 2d3434d..ee42ed4 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -1924,6 +1924,10 @@ HttpSM::state_send_server_request_header(int event, void *data)
// imediately, before receive the real response from original server.
if ((len == HTTP_LEN_100_CONTINUE) && (strncasecmp(expect, HTTP_VALUE_100_CONTINUE, HTTP_LEN_100_CONTINUE) == 0)) {
int64_t alloc_index = buffer_size_to_index(len_100_continue_response);
+ if (ua_entry->write_buffer) {
+ free_MIOBuffer(ua_entry->write_buffer);
+ ua_entry->write_buffer = NULL;
+ }
ua_entry->write_buffer = new_MIOBuffer(alloc_index);
IOBufferReader *buf_start = ua_entry->write_buffer->alloc_reader();
@@ -2657,12 +2661,16 @@ HttpSM::tunnel_handler_post(int event, void *data)
HttpTunnelProducer *p = tunnel.get_producer(ua_session);
if (event != HTTP_TUNNEL_EVENT_DONE) {
+ if ((event == VC_EVENT_WRITE_COMPLETE) || (event == VC_EVENT_EOS)) {
+ if (ua_entry->write_buffer) {
+ free_MIOBuffer(ua_entry->write_buffer);
+ ua_entry->write_buffer = NULL;
+ }
+ }
if (t_state.http_config_param->send_408_post_timeout_response && p->handler_state == HTTP_SM_POST_UA_FAIL) {
Debug("http_tunnel", "cleanup tunnel in tunnel_handler_post");
hsm_release_assert(ua_entry->in_tunnel == true);
ink_assert((event == VC_EVENT_WRITE_COMPLETE) || (event == VC_EVENT_EOS));
- free_MIOBuffer(ua_entry->write_buffer);
- ua_entry->write_buffer = NULL;
vc_table.cleanup_all();
tunnel.chain_abort_all(p);
p->read_vio = NULL;
@@ -3419,15 +3427,6 @@ HttpSM::tunnel_handler_post_ua(int event, HttpTunnelProducer * p)
case VC_EVENT_READ_COMPLETE:
case HTTP_TUNNEL_EVENT_PRECOMPLETE:
- // We have completed reading POST data from client here.
- // It's time to free MIOBuffer of 100 Continue's response now,
- // althought this is a little late.
- if (t_state.http_config_param->send_100_continue_response &&
- ua_entry->write_buffer) {
- free_MIOBuffer(ua_entry->write_buffer);
- ua_entry->write_buffer = NULL;
- }
-
p->handler_state = HTTP_SM_POST_SUCCESS;
p->read_success = true;
ua_entry->in_tunnel = false;