[ 
https://issues.apache.org/jira/browse/TS-4978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15585649#comment-15585649
 ] 

Alan M. Carroll commented on TS-4978:
-------------------------------------

I changed my mind, I think Coverity might be on to something here. The intent 
of the code seems to be that erlier in this method {{cleanup}} is called which 
does {{free}} {{ticket_key_filename}}. Then {{REC_ReadConfigStringAlloc}} is 
called to get a newly allocated copy. However, {{ticket_key_filename}} is not 
reset after {{free}} and {{REC_ReadConfigStringAlloc}} does not update the 
pointer on failure. Therefore if {{ticket_key_filename}} was previously 
allocated and {{REC_ReadConfigStringAlloc}} fails a use after free could occur. 
One solution is to clear {{ticket_key_filename}}, another is to just the return 
value of {{REC_ReadConfigStringAlloc}} rather than check the value of 
{{ticket_key_filename}}.

> CID 1364311:  Memory - illegal accesses  (USE_AFTER_FREE) in 
> iocore/net/SSLConfig.cc
> ------------------------------------------------------------------------------------
>
>                 Key: TS-4978
>                 URL: https://issues.apache.org/jira/browse/TS-4978
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: TLS
>            Reporter: Leif Hedstrom
>            Assignee: Susan Hinrichs
>             Fix For: 7.1.0
>
>
> I think this is perhaps from TS-4858:
> {code}
> *** CID 1364311:  Memory - illegal accesses  (USE_AFTER_FREE)
> /iocore/net/SSLConfig.cc: 258 in SSLConfigParams::initialize()()
> 252       ats_free(ssl_server_ca_cert_filename);
> 253       ats_free(CACertRelativePath);
> 254     
> 255     #if HAVE_OPENSSL_SESSION_TICKETS
> 256       REC_ReadConfigStringAlloc(ticket_key_filename, 
> "proxy.config.ssl.server.ticket_key.filename");
> 257       if (this->ticket_key_filename != NULL) {
>    CID 1364311:  Memory - illegal accesses  (USE_AFTER_FREE)
>    Passing freed pointer "this->ticket_key_filename" as an argument to 
> "relative_to".
> 258         ats_scoped_str 
> ticket_key_path(Layout::relative_to(this->serverCertPathOnly, 
> this->ticket_key_filename));
> 259         default_global_keyblock = 
> ssl_create_ticket_keyblock(ticket_key_path);
> 260       } else {
> 261         default_global_keyblock = ssl_create_ticket_keyblock(NULL);
> 262       }
> 263     #endif
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to