[jira] [Created] (TS-1273) Crash report: selective deleting instances of mime header field which has duplicates causes core dump

[Manjesh Nilange (JIRA)]

Manjesh Nilange created TS-1273:
-----------------------------------

             Summary: Crash report: selective deleting instances of mime header 
field which has duplicates causes core dump
                 Key: TS-1273
                 URL: https://issues.apache.org/jira/browse/TS-1273
             Project: Traffic Server
          Issue Type: Bug
          Components: MIME
    Affects Versions: 3.0.4
            Reporter: Manjesh Nilange


Try header plugin

#include <ts/ts.h>

static int deleteLastCookie(TSCont, TSEvent, void *);

void TSPluginInit(int argc, const char *argv[])
{
  TSCont globalCont = TSContCreate(deleteLastCookie, 0);
  TSHttpHookAdd(TS_HTTP_SEND_RESPONSE_HDR_HOOK, globalCont);
}

static int deleteLastCookie(TSCont cont, TSEvent event, void *edata)
{
  TSHttpTxn txn = static_cast<TSHttpTxn>(edata);
  TSMBuffer hdrBuf;
  TSMLoc hdrLoc;
  if (TSHttpTxnClientRespGet(txn, &hdrBuf, &hdrLoc) != TS_SUCCESS)
  {
    TSError("Could not get client response object");
    TSHttpTxnReenable(txn, TS_EVENT_HTTP_CONTINUE);
    return 0;
  }
  TSMLoc fieldLoc = TSMimeHdrFieldFind(hdrBuf, hdrLoc, 
TS_MIME_FIELD_SET_COOKIE, -1);
  while (fieldLoc)
  {
    TSMLoc nextFieldLoc = TSMimeHdrFieldNextDup(hdrBuf, hdrLoc, fieldLoc);
    if (!nextFieldLoc)
    {
      TSMimeHdrFieldRemove(hdrBuf, hdrLoc, fieldLoc);
      TSMimeHdrFieldDestroy(hdrBuf, hdrLoc, fieldLoc);
    }
    TSHandleMLocRelease(hdrBuf, hdrLoc, fieldLoc);
    fieldLoc = nextFieldLoc;
  }
  TSHandleMLocRelease(hdrBuf, 0, hdrLoc);
  TSHttpTxnReenable(txn, TS_EVENT_HTTP_CONTINUE);
  return 0;
}


with OS script

<?php
// bool setcookie ( string $name [, string $value [, int $expire = 0 [, string 
$path [, string $domain [, bool $secure = false [, bool $httponly = false 
]]]]]] )
  setcookie('foo', 'bar1');
  setcookie('foo', 'bar2', time() + 1000, "/", "www.test.com", false, false);
  setcookie('foo2', 'bar4', time() + 1000, "/", ".test.com", false, false);
  setcookie('foo', 'bar3', time() + 1000, "/", ".www.test.com", false, false);
  setcookie('foo2', 'bar4', time() + 1000, "/", ".test.com", false, false);
  setcookie('foo2', 'bar5', time() + 1000, "/", "test.com", false, false);
  setcookie('foo3', 'bar6');
  setcookie('foo3', 'bar6', time() + 1000, "/", "www.test.com", true, false);
?>
<html>
<body>
This is a test
</body>
</html>


And there's a core consistently with this stack trace

(gdb) bt
#0  mime_hdr_field_detach (mh=0x7ffff403f8c8, field=0x7ffff403fa58, 
detach_all_dups=false) at MIME.cc:1640
#1  0x00000000005a0237 in mime_hdr_field_delete (heap=0x7ffff403f810, 
mh=0x7ffff403f8c8, field=0x7ffff403fa58, 
    delete_all_dups=<value optimized out>) at MIME.cc:1688
#2  0x00000000004a6a51 in TSMimeHdrFieldDestroy (bufp=0x7fffec251ab8, 
mh_mloc=0x7ffff403f898, 
    field_mloc=0x7fffdc0258d0) at InkAPI.cc:2719
#3  0x00007fffed56ba73 in deleteLastCookie(tsapi_cont*, TSEvent, void*) ()
   from /home/mnilange/temp/mime-field-crash.so
#4  0x00000000005137a5 in HttpSM::state_api_callout (this=0x7fffec2511c0, 
event=<value optimized out>, 
    data=<value optimized out>) at HttpSM.cc:1374
#5  0x000000000051bc6c in HttpSM::set_next_state (this=0x7fffec2511c0) at 
HttpSM.cc:6534
#6  0x000000000050912f in HttpSM::call_transact_and_set_next_state 
(this=0x7fffec2511c0, f=<value optimized out>)
    at HttpSM.cc:6329
#7  0x00000000005134f8 in HttpSM::state_api_callout (this=0x7fffec2511c0, 
event=0, data=0x0) at HttpSM.cc:1448
#8  0x0000000000514d38 in do_api_callout (this=0x7fffec2511c0, event=100, 
data=0x7fffe401db80) at HttpSM.cc:497
#9  HttpSM::state_read_server_response_header (this=0x7fffec2511c0, event=100, 
data=0x7fffe401db80)
    at HttpSM.cc:1826
#10 0x0000000000515cc8 in HttpSM::main_handler (this=0x7fffec2511c0, event=100, 
data=0x7fffe401db80)
    at HttpSM.cc:2439
#11 0x00000000006346bb in handleEvent (event=<value optimized out>, 
vc=0x7fffe401d9c0)
    at ../../iocore/eventsystem/I_Continuation.h:146
#12 read_signal_and_update (event=<value optimized out>, vc=0x7fffe401d9c0) at 
UnixNetVConnection.cc:138
#13 0x00000000006371f1 in read_from_net (nh=0x7ffff6630628, vc=0x7fffe401d9c0, 
thread=<value optimized out>)
    at UnixNetVConnection.cc:320
#14 0x0000000000630952 in NetHandler::mainNetEvent (this=0x7ffff6630628, 
event=<value optimized out>, 
    e=<value optimized out>) at UnixNet.cc:389
#15 0x0000000000656d24 in handleEvent (this=0x7ffff662f010, e=0xfc1190, 
calling_code=5) at I_Continuation.h:146
#16 EThread::process_event (this=0x7ffff662f010, e=0xfc1190, calling_code=5) at 
UnixEThread.cc:140
#17 0x00000000006576b3 in EThread::execute (this=0x7ffff662f010) at 
UnixEThread.cc:262
#18 0x0000000000655f82 in spawn_thread_internal (a=0xfbb570) at Thread.cc:88
#19 0x000000320aa077e1 in start_thread () from /lib64/libpthread.so.0
#20 0x000000320a6e68ed in clone () from /lib64/libc.so.6


proxy/hdrs/MIME.cc:1640 shows

   while (prev && (prev->m_next_dup != field))
      prev = prev->m_next_dup;
    ink_assert(prev != NULL);

    if (prev->m_next_dup == field)
      prev->m_next_dup = next_dup;


so prev is not expected to be null, but is part of the while condition - 
contradictory.




--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira