You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Alan M. Carroll (JIRA)" <ji...@apache.org> on 2016/10/18 14:50:58 UTC

[jira] [Commented] (TS-4978) CID 1364311: Memory - illegal accesses (USE_AFTER_FREE) in iocore/net/SSLConfig.cc

    [ https://issues.apache.org/jira/browse/TS-4978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15585649#comment-15585649 ] 

Alan M. Carroll commented on TS-4978:
-------------------------------------

I changed my mind, I think Coverity might be on to something here. The intent of the code seems to be that erlier in this method {{cleanup}} is called which does {{free}} {{ticket_key_filename}}. Then {{REC_ReadConfigStringAlloc}} is called to get a newly allocated copy. However, {{ticket_key_filename}} is not reset after {{free}} and {{REC_ReadConfigStringAlloc}} does not update the pointer on failure. Therefore if {{ticket_key_filename}} was previously allocated and {{REC_ReadConfigStringAlloc}} fails a use after free could occur. One solution is to clear {{ticket_key_filename}}, another is to just the return value of {{REC_ReadConfigStringAlloc}} rather than check the value of {{ticket_key_filename}}.

> CID 1364311:  Memory - illegal accesses  (USE_AFTER_FREE) in iocore/net/SSLConfig.cc
> ------------------------------------------------------------------------------------
>
>                 Key: TS-4978
>                 URL: https://issues.apache.org/jira/browse/TS-4978
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: TLS
>            Reporter: Leif Hedstrom
>            Assignee: Susan Hinrichs
>             Fix For: 7.1.0
>
>
> I think this is perhaps from TS-4858:
> {code}
> *** CID 1364311:  Memory - illegal accesses  (USE_AFTER_FREE)
> /iocore/net/SSLConfig.cc: 258 in SSLConfigParams::initialize()()
> 252       ats_free(ssl_server_ca_cert_filename);
> 253       ats_free(CACertRelativePath);
> 254     
> 255     #if HAVE_OPENSSL_SESSION_TICKETS
> 256       REC_ReadConfigStringAlloc(ticket_key_filename, "proxy.config.ssl.server.ticket_key.filename");
> 257       if (this->ticket_key_filename != NULL) {
>    CID 1364311:  Memory - illegal accesses  (USE_AFTER_FREE)
>    Passing freed pointer "this->ticket_key_filename" as an argument to "relative_to".
> 258         ats_scoped_str ticket_key_path(Layout::relative_to(this->serverCertPathOnly, this->ticket_key_filename));
> 259         default_global_keyblock = ssl_create_ticket_keyblock(ticket_key_path);
> 260       } else {
> 261         default_global_keyblock = ssl_create_ticket_keyblock(NULL);
> 262       }
> 263     #endif
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)