Brian Geffon created TS-3359:
--------------------------------
Summary: Use after free: Tunnel destroyed without updating HttpSM
Key: TS-3359
URL: https://issues.apache.org/jira/browse/TS-3359
Project: Traffic Server
Issue Type: Bug
Components: Core
Reporter: Brian Geffon
In HttpSM there is a member called ua_session which is a HttpClientSession.
When chain_abort_all() is called in HttpSM::tunnel_handler_server on the
is_http_server_eos_truncation() case it causes this client session to be
destroyed but it is later referenced in HttpSM::tunnel_handler_server.
Typically this object will be on the freelist and it will happily address the
memory; however, under high loads this will obviously lead to issues. This was
detected by disabling freelist and using address sanitizer. The patch will be
attached.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
