Yunkai Zhang created TS-1913:
--------------------------------
Summary: Fix MIOBuffer::append_xmalloced()
Key: TS-1913
URL: https://issues.apache.org/jira/browse/TS-1913
Project: Traffic Server
Issue Type: Bug
Components: Core
Reporter: Yunkai Zhang
When ATS receives a malicious request which URL is too long to hold by
internal_msg_buffer, the internal_msg_buffer_size might be set to 0.
As a result, the appended memory which allocated by ats_malloc() would
be mistaken for the memory from ink_freelist, and would be free to
ink_freelist finally.
As this memory is larger than the one in ink_freelist, and all memory in
the origin ink_freelist would not be reclaimed, so it wouldn't cause
segment-fault, that is why we didn't notice it in the past.
But after we use reclaimabe-freelist, this bug would cause segment-fault
when it was free-back to OS by unmmap().
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
