[
https://issues.apache.org/jira/browse/TS-1273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leif Hedstrom updated TS-1273:
------------------------------
Fix Version/s: (was: 5.2.0)
5.3.0
> Crash report: selectively deleting instances of mime header field which has
> duplicates causes core dump
> -------------------------------------------------------------------------------------------------------
>
> Key: TS-1273
> URL: https://issues.apache.org/jira/browse/TS-1273
> Project: Traffic Server
> Issue Type: Bug
> Components: MIME
> Affects Versions: 3.0.4
> Reporter: Manjesh Nilange
> Assignee: Susan Hinrichs
> Labels: Crash
> Fix For: 5.3.0
>
>
> Try header plugin
> #include <ts/ts.h>
> static int deleteLastCookie(TSCont, TSEvent, void *);
> void TSPluginInit(int argc, const char *argv[])
> {
> TSCont globalCont = TSContCreate(deleteLastCookie, 0);
> TSHttpHookAdd(TS_HTTP_SEND_RESPONSE_HDR_HOOK, globalCont);
> }
> static int deleteLastCookie(TSCont cont, TSEvent event, void *edata)
> {
> TSHttpTxn txn = static_cast<TSHttpTxn>(edata);
> TSMBuffer hdrBuf;
> TSMLoc hdrLoc;
> if (TSHttpTxnClientRespGet(txn, &hdrBuf, &hdrLoc) != TS_SUCCESS)
> {
> TSError("Could not get client response object");
> TSHttpTxnReenable(txn, TS_EVENT_HTTP_CONTINUE);
> return 0;
> }
> TSMLoc fieldLoc = TSMimeHdrFieldFind(hdrBuf, hdrLoc,
> TS_MIME_FIELD_SET_COOKIE, -1);
> while (fieldLoc)
> {
> TSMLoc nextFieldLoc = TSMimeHdrFieldNextDup(hdrBuf, hdrLoc, fieldLoc);
> if (!nextFieldLoc)
> {
> TSMimeHdrFieldRemove(hdrBuf, hdrLoc, fieldLoc);
> TSMimeHdrFieldDestroy(hdrBuf, hdrLoc, fieldLoc);
> }
> TSHandleMLocRelease(hdrBuf, hdrLoc, fieldLoc);
> fieldLoc = nextFieldLoc;
> }
> TSHandleMLocRelease(hdrBuf, 0, hdrLoc);
> TSHttpTxnReenable(txn, TS_EVENT_HTTP_CONTINUE);
> return 0;
> }
> with OS script
> <?php
> // bool setcookie ( string $name [, string $value [, int $expire = 0 [,
> string $path [, string $domain [, bool $secure = false [, bool $httponly =
> false ]]]]]] )
> setcookie('foo', 'bar1');
> setcookie('foo', 'bar2', time() + 1000, "/", "www.test.com", false, false);
> setcookie('foo2', 'bar4', time() + 1000, "/", ".test.com", false, false);
> setcookie('foo', 'bar3', time() + 1000, "/", ".www.test.com", false, false);
> setcookie('foo2', 'bar4', time() + 1000, "/", ".test.com", false, false);
> setcookie('foo2', 'bar5', time() + 1000, "/", "test.com", false, false);
> setcookie('foo3', 'bar6');
> setcookie('foo3', 'bar6', time() + 1000, "/", "www.test.com", true, false);
> ?>
> <html>
> <body>
> This is a test
> </body>
> </html>
> And there's a core consistently with this stack trace
> (gdb) bt
> #0 mime_hdr_field_detach (mh=0x7ffff403f8c8, field=0x7ffff403fa58,
> detach_all_dups=false) at MIME.cc:1640
> #1 0x00000000005a0237 in mime_hdr_field_delete (heap=0x7ffff403f810,
> mh=0x7ffff403f8c8, field=0x7ffff403fa58,
> delete_all_dups=<value optimized out>) at MIME.cc:1688
> #2 0x00000000004a6a51 in TSMimeHdrFieldDestroy (bufp=0x7fffec251ab8,
> mh_mloc=0x7ffff403f898,
> field_mloc=0x7fffdc0258d0) at InkAPI.cc:2719
> #3 0x00007fffed56ba73 in deleteLastCookie(tsapi_cont*, TSEvent, void*) ()
> from /home/mnilange/temp/mime-field-crash.so
> #4 0x00000000005137a5 in HttpSM::state_api_callout (this=0x7fffec2511c0,
> event=<value optimized out>,
> data=<value optimized out>) at HttpSM.cc:1374
> #5 0x000000000051bc6c in HttpSM::set_next_state (this=0x7fffec2511c0) at
> HttpSM.cc:6534
> #6 0x000000000050912f in HttpSM::call_transact_and_set_next_state
> (this=0x7fffec2511c0, f=<value optimized out>)
> at HttpSM.cc:6329
> #7 0x00000000005134f8 in HttpSM::state_api_callout (this=0x7fffec2511c0,
> event=0, data=0x0) at HttpSM.cc:1448
> #8 0x0000000000514d38 in do_api_callout (this=0x7fffec2511c0, event=100,
> data=0x7fffe401db80) at HttpSM.cc:497
> #9 HttpSM::state_read_server_response_header (this=0x7fffec2511c0,
> event=100, data=0x7fffe401db80)
> at HttpSM.cc:1826
> #10 0x0000000000515cc8 in HttpSM::main_handler (this=0x7fffec2511c0,
> event=100, data=0x7fffe401db80)
> at HttpSM.cc:2439
> #11 0x00000000006346bb in handleEvent (event=<value optimized out>,
> vc=0x7fffe401d9c0)
> at ../../iocore/eventsystem/I_Continuation.h:146
> #12 read_signal_and_update (event=<value optimized out>, vc=0x7fffe401d9c0)
> at UnixNetVConnection.cc:138
> #13 0x00000000006371f1 in read_from_net (nh=0x7ffff6630628,
> vc=0x7fffe401d9c0, thread=<value optimized out>)
> at UnixNetVConnection.cc:320
> #14 0x0000000000630952 in NetHandler::mainNetEvent (this=0x7ffff6630628,
> event=<value optimized out>,
> e=<value optimized out>) at UnixNet.cc:389
> #15 0x0000000000656d24 in handleEvent (this=0x7ffff662f010, e=0xfc1190,
> calling_code=5) at I_Continuation.h:146
> #16 EThread::process_event (this=0x7ffff662f010, e=0xfc1190, calling_code=5)
> at UnixEThread.cc:140
> #17 0x00000000006576b3 in EThread::execute (this=0x7ffff662f010) at
> UnixEThread.cc:262
> #18 0x0000000000655f82 in spawn_thread_internal (a=0xfbb570) at Thread.cc:88
> #19 0x000000320aa077e1 in start_thread () from /lib64/libpthread.so.0
> #20 0x000000320a6e68ed in clone () from /lib64/libc.so.6
> proxy/hdrs/MIME.cc:1640 shows
> while (prev && (prev->m_next_dup != field))
> prev = prev->m_next_dup;
> ink_assert(prev != NULL);
> if (prev->m_next_dup == field)
> prev->m_next_dup = next_dup;
> so prev is not expected to be null, but is part of the while condition -
> contradictory.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
