[
https://issues.apache.org/jira/browse/TS-3633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leif Hedstrom updated TS-3633:
------------------------------
Affects Version/s: 5.3.0
> SPDY memory use after free
> --------------------------
>
> Key: TS-3633
> URL: https://issues.apache.org/jira/browse/TS-3633
> Project: Traffic Server
> Issue Type: Bug
> Components: SPDY
> Affects Versions: 5.3.0
> Reporter: Leif Hedstrom
> Fix For: 6.0.0
>
>
> From ASAN:
> {code}
> ==2681==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x6110002785f4 at pc 0x7d9fc2 bp 0x2b9286cae7f0 sp 0x2b9286cae7e8
> READ of size 1 at 0x6110002785f4 thread T4 ([ET_NET 3])
> #0 0x7d9fc1 in spdy_process_fetch
> /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:332
> #1 0x7d9fc1 in SpdyClientSession::state_session_readwrite(int, void*)
> /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
> #2 0x4f2258 in Continuation::handleEvent(int, void*)
> ../iocore/eventsystem/I_Continuation.h:145
> #3 0x4f2258 in FetchSM::InvokePluginExt(int)
> /usr/local/src/trafficserver/proxy/FetchSM.cc:254
> #4 0x4f54aa in FetchSM::fetch_handler(int, void*)
> /usr/local/src/trafficserver/proxy/FetchSM.cc:520
> #5 0x5a0907 in Continuation::handleEvent(int, void*)
> ../iocore/eventsystem/I_Continuation.h:145
> #6 0x5a0907 in PluginVC::process_write_side(bool)
> /usr/local/src/trafficserver/proxy/PluginVC.cc:509
> #7 0x5ab4fd in PluginVC::main_handler(int, void*)
> /usr/local/src/trafficserver/proxy/PluginVC.cc:208
> #8 0xc859fe in Continuation::handleEvent(int, void*)
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #9 0xc859fe in EThread::process_event(Event*, int)
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #10 0xc87669 in EThread::execute()
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
> #11 0xc84618 in spawn_thread_internal
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #12 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> #13 0x2b92811e11ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x6110002785f4 is located 52 bytes inside of 224-byte region
> [0x6110002785c0,0x6110002786a0)
> freed by thread T4 ([ET_NET 3]) here:
> #0 0x2b927d5771c7 in __interceptor_free
> ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
> #1 0x7e02a3 in ClassAllocator<SpdyRequest>::free(SpdyRequest*)
> ../../lib/ts/Allocator.h:134
> #2 0x7e02a3 in SpdyClientSession::cleanup_request(int)
> /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.h:137
> #3 0x7e02a3 in
> spdy_prepare_status_response_and_clean_request(SpdyClientSession*, int, char
> const*) /usr/local/src/trafficserver/proxy/spdy/SpdyCall
> backs.cc:85
> #4 0x7d8ef4 in spdy_process_fetch
> /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:347
> #5 0x7d8ef4 in SpdyClientSession::state_session_readwrite(int, void*)
> /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
> #6 0x4f2be5 in Continuation::handleEvent(int, void*)
> ../iocore/eventsystem/I_Continuation.h:145
> #7 0x4f2be5 in FetchSM::InvokePluginExt(int)
> /usr/local/src/trafficserver/proxy/FetchSM.cc:263
> #8 0x4f3dfa in FetchSM::process_fetch_read(int)
> /usr/local/src/trafficserver/proxy/FetchSM.cc:469
> #9 0x4f5492 in FetchSM::fetch_handler(int, void*)
> /usr/local/src/trafficserver/proxy/FetchSM.cc:518
> #10 0x59f247 in Continuation::handleEvent(int, void*)
> ../iocore/eventsystem/I_Continuation.h:145
> #11 0x59f247 in PluginVC::process_read_side(bool)
> /usr/local/src/trafficserver/proxy/PluginVC.cc:629
> #12 0x5abd79 in PluginVC::main_handler(int, void*)
> /usr/local/src/trafficserver/proxy/PluginVC.cc:204
> #13 0xc859fe in Continuation::handleEvent(int, void*)
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #14 0xc859fe in EThread::process_event(Event*, int)
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #15 0xc87669 in EThread::execute()
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
> #16 0xc84618 in spawn_thread_internal
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #17 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T4 ([ET_NET 3]) here:
> #0 0x2b927d57793b in __interceptor_posix_memalign
> ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
> #1 0x2b927e4612d9 in ats_memalign
> /usr/local/src/trafficserver/lib/ts/ink_memory.cc:96
> #2 0x2b927e461b90 in ink_freelist_new
> /usr/local/src/trafficserver/lib/ts/ink_queue.cc:243
> #3 0x7e082a in ClassAllocator<SpdyRequest>::alloc()
> ../../lib/ts/Allocator.h:120
> #4 0x7e082a in spdy_on_ctrl_recv_callback(spdylay_session*,
> spdylay_frame_type, spdylay_frame*, void*)
> /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:312
> #5 0x2b927f11303f in spdylay_session_call_on_ctrl_frame_received
> /admin/src/spdylay/lib/spdylay_session.c:1634
> #6 0x2b927f11303f in spdylay_session_on_syn_stream_received
> /admin/src/spdylay/lib/spdylay_session.c:1782
> #7 0x5693900000193
> Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
> #0 0x2b927d54686a in __interceptor_pthread_create
> ../../.././libsanitizer/asan/asan_interceptors.cc:183
> #1 0xc852a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xc852a5 in Thread::start(char const*, unsigned long, void*
> (*)(void*), void*)
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
> #3 0xc8d826 in EventProcessor::start(int, unsigned long)
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x499003 in main /usr/local/src/trafficserver/proxy/Main.cc:1647
> #5 0x2b928110caf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
