[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()

Fri, 14 Jun 2013 06:34:44 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683340#comment-13683340
 ] 

ASF subversion and git services commented on TS-1923:
-----------------------------------------------------

Commit 9f8195f443e1e16862cbb7abc0497ec64dafd025 in branch refs/heads/3.2.x from 
[~yunkai]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=9f8195f ]

TS-1923: Fix resolve_logfield_string()

When bytes_resolved is 0, we should free result directly,
or it will return the not-null result to the caller with
the strlen(result) is 0, which will lead to ATS crash.

Signed-off-by: Yunkai Zhang <[email protected]>
Signed-off-by: Zhao Yongming <[email protected]>

Conflicts:
        CHANGES

test/review: igalic, sorber, zwoop
backport: igalic

                
> 3.2.x - Fix resolve_logfield_string()
> -------------------------------------
>
>                 Key: TS-1923
>                 URL: https://issues.apache.org/jira/browse/TS-1923
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.2.4
>            Reporter: Yunkai Zhang
>            Assignee: Igor Galić
>             Fix For: 3.2.5
>
>         Attachments: 0001-Fix-resolve_logfield_string.patch
>
>
> When ATS receives a malicious request which URL is too long to hold by
> internal_msg_buffer, the internal_msg_buffer_size might be set to 0.
> As a result, the appended memory which allocated by ats_malloc() would
> be mistaken for the memory from ink_freelist, and would be free to
> ink_freelist finally.
> As this memory is larger than the one in ink_freelist, and all memory in
> the origin ink_freelist would not be reclaimed, so it wouldn't cause
> segment-fault, that is why we didn't notice it in the past.
> But after we use reclaimabe-freelist, this bug would cause segment-fault
> when use it to get inner meta-data or free it back to OS by unmmap().
> ===
> Now, we found the root cause which would lead to internal_msg_buffer_size to 0
> while internal_msg_buffer is NOT NULL.
> That is resolve_logfiled_string() function. Let's fix it.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to