Leif Hedstrom created TS-3860:
---------------------------------
Summary: Buffer overflow in H2 on debug build
Key: TS-3860
URL: https://issues.apache.org/jira/browse/TS-3860
Project: Traffic Server
Issue Type: Bug
Components: HTTP/2
Reporter: Leif Hedstrom
{code}
==15480==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000000acafe8 at pc 0x7f13fa bp 0x7ff13b8e3ee0 sp 0x7ff13b8e3ed8
READ of size 1 at 0x000000acafe8 thread T8 ([ET_NET 7])
#0 0x7f13f9 in checksum_block(char const*, int)
/usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530
#1 0x7f167f in mime_hdr_sanity_check(MIMEHdrImpl*)
/usr/local/src/trafficserver/proxy/hdrs/MIME.cc:560
#2 0x7f5d6d in mime_hdr_field_attach(MIMEHdrImpl*, MIMEField*, int,
MIMEField*) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:1533
#3 0x6fd29a in http2_write_psuedo_headers(HTTPHdr*, unsigned char*,
unsigned long, Http2DynamicTable&)
/usr/local/src/trafficserver/proxy/http2/HTTP2.cc:560
#4 0x710ecd in Http2ConnectionState::send_headers_frame(FetchSM*)
/usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:966
#5 0x70f906 in Http2ConnectionState::main_event_handler(int, void*)
/usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:768
#6 0x53075a in Continuation::handleEvent(int, void*)
/usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
#7 0x704fe9 in send_connection_event
/usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:60
#8 0x707176 in Http2ClientSession::main_event_handler(int, void*)
/usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:259
#9 0x53075a in Continuation::handleEvent(int, void*)
/usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
#10 0x52bd6a in FetchSM::InvokePluginExt(int)
/usr/local/src/trafficserver/proxy/FetchSM.cc:260
#11 0x52d6e6 in FetchSM::process_fetch_read(int)
/usr/local/src/trafficserver/proxy/FetchSM.cc:456
#12 0x52df4a in FetchSM::fetch_handler(int, void*)
/usr/local/src/trafficserver/proxy/FetchSM.cc:518
#13 0x53075a in Continuation::handleEvent(int, void*)
/usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
#14 0x5abc09 in PluginVC::process_read_side(bool)
/usr/local/src/trafficserver/proxy/PluginVC.cc:663
#15 0x5aa834 in PluginVC::process_write_side(bool)
/usr/local/src/trafficserver/proxy/PluginVC.cc:555
#16 0x5a74dc in PluginVC::main_handler(int, void*)
/usr/local/src/trafficserver/proxy/PluginVC.cc:208
#17 0x53075a in Continuation::handleEvent(int, void*)
/usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
#18 0xa23154 in EThread::process_event(Event*, int)
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#19 0xa236f7 in EThread::execute()
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
#20 0xa21662 in spawn_thread_internal
/usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
#21 0x7ff143381df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
#22 0x7ff1426291ac in __clone (/lib64/libc.so.6+0xf61ac)
0x000000acafe8 is located 0 bytes to the right of global variable '*.LC7' from
'HPACK.cc' (0xacafe0) of size 8
'*.LC7' is ascii string ':status'
SUMMARY: AddressSanitizer: global-buffer-overflow
/usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530 checksum_block(char const*,
int)
Shadow bytes around the buggy address:
0x0000801515a0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000801515b0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
0x0000801515c0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
0x0000801515d0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
0x0000801515e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9
=>0x0000801515f0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00[f9]f9 f9
0x000080151600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x000080151610: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9
0x000080151620: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 00
0x000080151630: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080151640: 00 00 03 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
Thread T8 ([ET_NET 7]) created by T0 ([ET_NET 0]) here:
#0 0x7ff14562786a in __interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:183
#1 0xa2113e in ink_thread_create ../../lib/ts/ink_thread.h:150
#2 0xa217eb in Thread::start(char const*, unsigned long, void* (*)(void*),
void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
#3 0xa26d03 in EventProcessor::start(int, unsigned long)
/usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
#4 0x5942ff in main /usr/local/src/trafficserver/proxy/Main.cc:1624
#5 0x7ff142554af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
==15480==ABORTING
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
