Bryan Call created TS-3909:
------------------------------
Summary: SSLNextProtocolTrampoline heap-use-after-free
Key: TS-3909
URL: https://issues.apache.org/jira/browse/TS-3909
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: Bryan Call
{code}
==6232==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000538880
at pc 0x9c851c bp 0x2ac88a2d4880 sp 0x2ac88a2d4878
READ of size 8 at 0x606000538880 thread T24 ([ET_NET 23])
#0 0x9c851b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:108
#1 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#2 0x9f4040 in read_signal_and_update
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
#3 0x9f46f4 in read_signal_done
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
#4 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
#5 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542
#6 0x9e1a02 in NetHandler::mainNetEvent(int, Event*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
#7 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#8 0xa405e4 in EThread::process_event(Event*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#9 0xa411fc in EThread::execute()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
#10 0xa3ebbd in spawn_thread_internal
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
#11 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
#12 0x2ac87e74b1ac in __clone (/lib64/libc.so.6+0xf61ac)
0x606000538880 is located 0 bytes inside of 56-byte region
[0x606000538880,0x6060005388b8)
freed by thread T24 ([ET_NET 23]) here:
#0 0x2ac87acd6127 in operator delete(void*)
../../.././libsanitizer/asan/asan_new_delete.cc:81
#1 0x9c8613 in SSLNextProtocolTrampoline::~SSLNextProtocolTrampoline()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:66
#2 0x9c83ea in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89
#3 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#4 0x9f4040 in read_signal_and_update
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
#5 0x9fbe75 in UnixNetVConnection::mainEvent(int, Event*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1175
#6 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#7 0x9e35e4 in NetHandler::_close_vc(UnixNetVConnection*, long, int&, int&,
int&, int&)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:678
#8 0x9e2c01 in NetHandler::manage_keep_alive_queue()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:634
#9 0x9e3882 in NetHandler::add_to_keep_alive_queue(UnixNetVConnection*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:699
#10 0x9ddb48 in UnixNetVConnection::add_to_keep_alive_queue()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixConnection.cc:397
#11 0x759044 in SpdyClientSession::init(NetVConnection*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:116
#12 0x7598da in SpdyClientSession::new_connection(NetVConnection*,
MIOBuffer*, IOBufferReader*, bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:193
#13 0x7582dc in SpdySessionAccept::mainEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdySessionAccept.cc:56
#14 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#15 0x9c78a5 in send_plugin_event
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:32
#16 0x9c842b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:99
#17 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#18 0x9f4040 in read_signal_and_update
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
#19 0x9f46f4 in read_signal_done
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
#20 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
#21 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542
#22 0x9e1a02 in NetHandler::mainNetEvent(int, Event*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
#23 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#24 0xa405e4 in EThread::process_event(Event*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#25 0xa411fc in EThread::execute()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
#26 0xa3ebbd in spawn_thread_internal
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
#27 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
previously allocated by thread T24 ([ET_NET 23]) here:
#0 0x2ac87acd5caf in operator new(unsigned long)
../../.././libsanitizer/asan/asan_new_delete.cc:50
#1 0x9c7c2d in SSLNextProtocolAccept::mainEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:133
#2 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#3 0x9fb50d in UnixNetVConnection::acceptEvent(int, Event*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1100
#4 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#5 0xa405e4 in EThread::process_event(Event*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#6 0xa40a97 in EThread::execute()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179
#7 0xa3ebbd in spawn_thread_internal
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
#8 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
Thread T24 ([ET_NET 23]) created by T0 ([ET_NET 0]) here:
#0 0x2ac87aca487a in __interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:183
#1 0xa3e6ea in ink_thread_create ../../lib/ts/ink_thread.h:150
#2 0xa3ed47 in Thread::start(char const*, unsigned long, void* (*)(void*),
void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
#3 0xa43dad in EventProcessor::start(int, unsigned long)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
#4 0x59180f in main
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
#5 0x2ac87e676af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
