[
https://issues.apache.org/jira/browse/TS-3359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14328591#comment-14328591
]
ASF subversion and git services commented on TS-3359:
-----------------------------------------------------
Commit b490a3c0bfed449423475c336a139a06cf5a441a in trafficserver's branch
refs/heads/5.2.x from [~zwoop]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=b490a3c ]
Add TS-3359 to CHANGES
> Use after free: Tunnel destroyed without updating HttpSM
> --------------------------------------------------------
>
> Key: TS-3359
> URL: https://issues.apache.org/jira/browse/TS-3359
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Brian Geffon
> Assignee: Brian Geffon
> Fix For: 5.2.1, 5.3.0
>
>
> In HttpSM there is a member called ua_session which is a HttpClientSession.
> When chain_abort_all() is called in HttpSM::tunnel_handler_server on the
> is_http_server_eos_truncation() case it causes this client session to be
> destroyed but it is later referenced in HttpSM::tunnel_handler_server.
> Typically this object will be on the freelist and it will happily address the
> memory; however, under high loads this will obviously lead to issues. This
> was detected by disabling freelist and using address sanitizer. The patch
> will be attached.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
