[
https://issues.apache.org/jira/browse/TS-3754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622401#comment-14622401
]
Oknet Xu commented on TS-3754:
------------------------------
suggest fix it immediately due to the reason list at below:
- the IOBufferData alloced from ioDataAllocator and the size is calculate by
128*2^n .
- the write_avail() is _buf_end - _end
- write operation will overwrite the next IOBufferData object in
ioDataAllocator and the data in IOBufferData will be corrupted if _buf_end is
exceeded.
- the freelist in ProxyAllocator object maybe broken if the memory area belongs
to next IOBufferData object is availabed to alloc or dealloc by THREAD_FREE
> IOBuffer memory leak
> --------------------
>
> Key: TS-3754
> URL: https://issues.apache.org/jira/browse/TS-3754
> Project: Traffic Server
> Issue Type: Bug
> Components: Core
> Reporter: Oknet Xu
> Priority: Critical
>
> the pointer `_end_buf` exceed the IOBufferData->_data size if offset > 0
> patch at below
> {code}
> diff --git a/iocore/eventsystem/P_IOBuffer.h b/iocore/eventsystem/P_IOBuffer.h
> index 3b8c323..71de17d 100644
> --- a/iocore/eventsystem/P_IOBuffer.h
> +++ b/iocore/eventsystem/P_IOBuffer.h
> @@ -477,7 +477,7 @@ IOBufferBlock::set(IOBufferData *d, int64_t len, int64_t
> offset)
> data = d;
> _start = buf() + offset;
> _end = _start + len;
> - _buf_end = _start + d->block_size();
> + _buf_end = _buf() + d->block_size();
> }
>
> TS_INLINE void
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
