[
https://issues.apache.org/jira/browse/TS-3513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14492681#comment-14492681
]
Bryan Call edited comment on TS-3513 at 4/13/15 5:14 PM:
---------------------------------------------------------
It looks like the problem is in decode_string() when detecting a compression
error:
{code}
const uint8_t *p = buf_start;
bool isHuffman = *p & 0x80;
uint32_t encoded_string_len = 0;
int64_t len = 0;
len = decode_integer(encoded_string_len, p, buf_end, 7);
if (len == HPACK_ERROR_COMPRESSION_ERROR)
return HPACK_ERROR_COMPRESSION_ERROR;
p += len;
if (encoded_string_len > HEADER_FIELD_LIMIT_LENGTH || buf_start +
encoded_string_len >= buf_end) { <--- encoded_string_len should be 0 and
buf_start will always be less than buf_end, so this conditional will always be
false
return HPACK_ERROR_COMPRESSION_ERROR;
}
{code}
was (Author: bcall):
It looks like the problem is in decode_string() when detecting a compression
error:
{code}
const uint8_t *p = buf_start;
bool isHuffman = *p & 0x80;
uint32_t encoded_string_len = 0;
int64_t len = 0;
len = decode_integer(encoded_string_len, p, buf_end, 7);
if (len == HPACK_ERROR_COMPRESSION_ERROR)
return HPACK_ERROR_COMPRESSION_ERROR;
p += len;
if (encoded_string_len > HEADER_FIELD_LIMIT_LENGTH || buf_start +
encoded_string_len >= buf_end) { <--- encoded_string_len should be 0 and
buf_start will always be less ehtne buf_end
return HPACK_ERROR_COMPRESSION_ERROR;
}
{code}
> http2 core dump
> ---------------
>
> Key: TS-3513
> URL: https://issues.apache.org/jira/browse/TS-3513
> Project: Traffic Server
> Issue Type: Bug
> Components: HTTP/2
> Affects Versions: 5.3.0
> Reporter: Bryan Call
> Assignee: Ryo Okubo
> Labels: crash
> Fix For: 6.0.0
>
>
> {code}
> traffic_server: Segmentation fault (Invalid permissions for mapped object
> [0x2ab5cbb3854d])traffic_server - STACK TRACE:
> /usr/bin/traffic_server(_Z19crash_logger_invokeiP7siginfoPv+0xc3)[0x50abe2]
> /lib64/libpthread.so.0(+0x3bb560f710)[0x2ab4b57c8710]
> /lib64/libc.so.6(memmove+0x107)[0x3bb4e83907]
> /usr/bin/traffic_server[0x63e8b4]
> /usr/bin/traffic_server(_ZN20Http2ConnectionState18main_event_handlerEiPv+0x2eb)[0x640137]
> /usr/bin/traffic_server(_ZN12Continuation11handleEventEiPv+0x6c)[0x50da20]
> /usr/bin/traffic_server[0x63b5fd]
> /usr/bin/traffic_server(_ZN18Http2ClientSession25state_complete_frame_readEiPv+0x28f)[0x63d379]
> /usr/bin/traffic_server(_ZN18Http2ClientSession18main_event_handlerEiPv+0xfb)[0x63c26d]
> /usr/bin/traffic_server(_ZN12Continuation11handleEventEiPv+0x6c)[0x50da20]
> /usr/bin/traffic_server(_ZN18Http2ClientSession22state_start_frame_readEiPv+0x892)[0x63d0c0]
> /usr/bin/traffic_server(_ZN18Http2ClientSession18main_event_handlerEiPv+0xfb)[0x63c26d]
> /usr/bin/traffic_server(_ZN12Continuation11handleEventEiPv+0x6c)[0x50da20]
> /usr/bin/traffic_server[0x76dac7]
> /usr/bin/traffic_server(_ZN18UnixNetVConnection19readSignalAndUpdateEi+0x20)[0x7703f4]
> /usr/bin/traffic_server(_ZN17SSLNetVConnection11net_read_ioEP10NetHandlerP7EThread+0x832)[0x75751c]
> /usr/bin/traffic_server(_ZN10NetHandler12mainNetEventEiP5Event+0x628)[0x7676c8]
> /usr/bin/traffic_server(_ZN12Continuation11handleEventEiPv+0x6c)[0x50da20]
> /usr/bin/traffic_server(_ZN7EThread13process_eventEP5Eventi+0xc6)[0x78de82]
> /usr/bin/traffic_server(_ZN7EThread7executeEv+0x3dc)[0x78e38c]
> /usr/bin/traffic_server[0x78d43d]
> /lib64/libpthread.so.0(+0x3bb56079d1)[0x2ab4b57c09d1]
> /lib64/libc.so.6(clone+0x6d)[0x3bb4ee88fd]
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
