[jira] [Closed] (TS-3621) url_sig plugin crashes on bad input

Tue, 19 May 2015 12:29:37 -0700 

     [ 
https://issues.apache.org/jira/browse/TS-3621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Phil Sorber closed TS-3621.
---------------------------
       Resolution: Duplicate
    Fix Version/s:     (was: 6.0.0)

Sorry, this was already fixed in master. By me no less...

> url_sig plugin crashes on bad input
> -----------------------------------
>
>                 Key: TS-3621
>                 URL: https://issues.apache.org/jira/browse/TS-3621
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Phil Sorber
>            Assignee: Phil Sorber
>
> {noformat}
> (gdb) bt full
> #0  TSRemapNewInstance (argc=<value optimized out>, argv=<value optimized 
> out>, ih=<value optimized out>, errbuf=0x7fff4d986600 "", errbuf_size=2047) 
> at url_sig.c:114
>         pos = 0x0
>         value = <value optimized out>
>         config_file = 
> "/opt/trafficserver/etc/trafficserver/url_sig_nbcsg-live-west-tba.config", 
> '\000' <repeats 417 times>"\266, \222\021G5+", '\000' <repeats 26 
> times>"\266, 
> \222\021G5+\000\000\037\000\000\000\000\000\000\000\266\222\021G5+\000\000\351\200\"\313\000\000\000\000\000\a\230M\377\177\000\000\037\000\000\000\000\000\000\000x\rFK5+\000\000(|\372!\000\000\000\000Ǜ\021G5+\000\000\026S\n\316\000\000\000\000\360\351\207\000\000\000\000\000(\000\000\000\065+\000\000\364kSI5+\000\000\000\000\000\000\000\000\000\000\200\b\230M\377\177\000\000\270wSI5"...
>         i = <value optimized out>
>         cfg = 0x4545a20
>         install_dir = <value optimized out>
>         file = 0x4546a50
>         line = 
> "<!--\n\000\000\000\244\022\350G5+\000\000P\016\350G5+\000\000\062\000\000\000\000\000\000\000\267?S\004\000\000\000\000\300\317Y\003\000\000\000\000\240\022S\004\000\000\000\000\240\022S\004\000\000\000\000\020\vX\003\000\000\000\000\020p\306K5+\000\000\000n\230M\377\177\000\000\002\000\000\000\000\000\000\000\000V\230M\377\177\000\000\240A\242\000\000\000\000\000\005\000\000\000\000\000\000\000\001",
>  '\000' <repeats 15 times>, "p", '\000' <repeats 31 times>, 
> "\005\000\000\000\061\000\000\000[\000\000\000|\000\000\000w\000\000\000n\000\000\000\064\000\000\000\000\000\000\000=\000\000\000\000\000\000\000=\000\000\000\000\000\000\000\200.\006J5+\000\000=\000\000\000\000\000\000\000\200:T\004\000\000\000\000\002\000\000\000\000\000\000\000\241"...
>         line_no = 1
>         keynum = <value optimized out>
> {noformat}
> {noformat}
> (gdb) l
> 109         continue;
> 110       char *pos = strchr(line, '=');
> 111       if (pos == NULL) {
> 112         TSError("Error parsing line %d of file %s (%s).", line_no, 
> config_file, line);
> 113       }
> 114       *pos = '\0';
> 115       char *value = pos + 1;
> 116       while (isspace(*value))     // remove whitespace
> 117         value++;
> 118       pos = strchr(value, '\n');  // remove the new line, terminate the 
> string
> {noformat}
> We can deref pos when it is NULL



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to