[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Galić resolved TS-1923. ---------------------------- Resolution: Fixed > 3.2.x - Fix resolve_logfield_string() > ------------------------------------- > > Key: TS-1923 > URL: https://issues.apache.org/jira/browse/TS-1923 > Project: Traffic Server > Issue Type: Bug > Components: Core > Affects Versions: 3.2.4 > Reporter: Yunkai Zhang > Assignee: Igor Galić > Fix For: 3.2.5 > > Attachments: 0001-Fix-resolve_logfield_string.patch > > > When ATS receives a malicious request which URL is too long to hold by > internal_msg_buffer, the internal_msg_buffer_size might be set to 0. > As a result, the appended memory which allocated by ats_malloc() would > be mistaken for the memory from ink_freelist, and would be free to > ink_freelist finally. > As this memory is larger than the one in ink_freelist, and all memory in > the origin ink_freelist would not be reclaimed, so it wouldn't cause > segment-fault, that is why we didn't notice it in the past. > But after we use reclaimabe-freelist, this bug would cause segment-fault > when use it to get inner meta-data or free it back to OS by unmmap(). > === > Now, we found the root cause which would lead to internal_msg_buffer_size to 0 > while internal_msg_buffer is NOT NULL. > That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira