You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Alan M. Carroll (JIRA)" <ji...@apache.org> on 2016/10/18 14:50:58 UTC
[jira] [Commented] (TS-4978) CID 1364311: Memory - illegal
accesses (USE_AFTER_FREE) in iocore/net/SSLConfig.cc
[ https://issues.apache.org/jira/browse/TS-4978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15585649#comment-15585649 ]
Alan M. Carroll commented on TS-4978:
-------------------------------------
I changed my mind, I think Coverity might be on to something here. The intent of the code seems to be that erlier in this method {{cleanup}} is called which does {{free}} {{ticket_key_filename}}. Then {{REC_ReadConfigStringAlloc}} is called to get a newly allocated copy. However, {{ticket_key_filename}} is not reset after {{free}} and {{REC_ReadConfigStringAlloc}} does not update the pointer on failure. Therefore if {{ticket_key_filename}} was previously allocated and {{REC_ReadConfigStringAlloc}} fails a use after free could occur. One solution is to clear {{ticket_key_filename}}, another is to just the return value of {{REC_ReadConfigStringAlloc}} rather than check the value of {{ticket_key_filename}}.
> CID 1364311: Memory - illegal accesses (USE_AFTER_FREE) in iocore/net/SSLConfig.cc
> ------------------------------------------------------------------------------------
>
> Key: TS-4978
> URL: https://issues.apache.org/jira/browse/TS-4978
> Project: Traffic Server
> Issue Type: Bug
> Components: TLS
> Reporter: Leif Hedstrom
> Assignee: Susan Hinrichs
> Fix For: 7.1.0
>
>
> I think this is perhaps from TS-4858:
> {code}
> *** CID 1364311: Memory - illegal accesses (USE_AFTER_FREE)
> /iocore/net/SSLConfig.cc: 258 in SSLConfigParams::initialize()()
> 252 ats_free(ssl_server_ca_cert_filename);
> 253 ats_free(CACertRelativePath);
> 254
> 255 #if HAVE_OPENSSL_SESSION_TICKETS
> 256 REC_ReadConfigStringAlloc(ticket_key_filename, "proxy.config.ssl.server.ticket_key.filename");
> 257 if (this->ticket_key_filename != NULL) {
> CID 1364311: Memory - illegal accesses (USE_AFTER_FREE)
> Passing freed pointer "this->ticket_key_filename" as an argument to "relative_to".
> 258 ats_scoped_str ticket_key_path(Layout::relative_to(this->serverCertPathOnly, this->ticket_key_filename));
> 259 default_global_keyblock = ssl_create_ticket_keyblock(ticket_key_path);
> 260 } else {
> 261 default_global_keyblock = ssl_create_ticket_keyblock(NULL);
> 262 }
> 263 #endif
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)