[ https://issues.apache.org/jira/browse/TS-3860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14710764#comment-14710764 ]
Ryo Okubo commented on TS-3860: ------------------------------- [~bcall] [~zwoop] I think adding a new flag would confuse ... as an other approach, I post a patch that disables {{n_v_raw_printable}} flag. Can you try it? > Buffer overflow in H2 on debug build > ------------------------------------ > > Key: TS-3860 > URL: https://issues.apache.org/jira/browse/TS-3860 > Project: Traffic Server > Issue Type: Bug > Components: HTTP/2 > Reporter: Leif Hedstrom > Assignee: Ryo Okubo > Labels: yahoo > Fix For: 6.1.0 > > Attachments: ts-3860-01.patch > > > {code} > ==15480==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x000000acafe8 at pc 0x7f13fa bp 0x7ff13b8e3ee0 sp 0x7ff13b8e3ed8 > READ of size 1 at 0x000000acafe8 thread T8 ([ET_NET 7]) > #0 0x7f13f9 in checksum_block(char const*, int) > /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530 > #1 0x7f167f in mime_hdr_sanity_check(MIMEHdrImpl*) > /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:560 > #2 0x7f5d6d in mime_hdr_field_attach(MIMEHdrImpl*, MIMEField*, int, > MIMEField*) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:1533 > #3 0x6fd29a in http2_write_psuedo_headers(HTTPHdr*, unsigned char*, > unsigned long, Http2DynamicTable&) > /usr/local/src/trafficserver/proxy/http2/HTTP2.cc:560 > #4 0x710ecd in Http2ConnectionState::send_headers_frame(FetchSM*) > /usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:966 > #5 0x70f906 in Http2ConnectionState::main_event_handler(int, void*) > /usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:768 > #6 0x53075a in Continuation::handleEvent(int, void*) > /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #7 0x704fe9 in send_connection_event > /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:60 > #8 0x707176 in Http2ClientSession::main_event_handler(int, void*) > /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:259 > #9 0x53075a in Continuation::handleEvent(int, void*) > /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #10 0x52bd6a in FetchSM::InvokePluginExt(int) > /usr/local/src/trafficserver/proxy/FetchSM.cc:260 > #11 0x52d6e6 in FetchSM::process_fetch_read(int) > /usr/local/src/trafficserver/proxy/FetchSM.cc:456 > #12 0x52df4a in FetchSM::fetch_handler(int, void*) > /usr/local/src/trafficserver/proxy/FetchSM.cc:518 > #13 0x53075a in Continuation::handleEvent(int, void*) > /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #14 0x5abc09 in PluginVC::process_read_side(bool) > /usr/local/src/trafficserver/proxy/PluginVC.cc:663 > #15 0x5aa834 in PluginVC::process_write_side(bool) > /usr/local/src/trafficserver/proxy/PluginVC.cc:555 > #16 0x5a74dc in PluginVC::main_handler(int, void*) > /usr/local/src/trafficserver/proxy/PluginVC.cc:208 > #17 0x53075a in Continuation::handleEvent(int, void*) > /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #18 0xa23154 in EThread::process_event(Event*, int) > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #19 0xa236f7 in EThread::execute() > /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179 > #20 0xa21662 in spawn_thread_internal > /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86 > #21 0x7ff143381df4 in start_thread (/lib64/libpthread.so.0+0x7df4) > #22 0x7ff1426291ac in __clone (/lib64/libc.so.6+0xf61ac) > 0x000000acafe8 is located 0 bytes to the right of global variable '*.LC7' > from 'HPACK.cc' (0xacafe0) of size 8 > '*.LC7' is ascii string ':status' > SUMMARY: AddressSanitizer: global-buffer-overflow > /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530 checksum_block(char > const*, int) > Shadow bytes around the buggy address: > 0x0000801515a0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 > 0x0000801515b0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 > 0x0000801515c0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 > 0x0000801515d0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 > 0x0000801515e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9 > =>0x0000801515f0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00[f9]f9 f9 > 0x000080151600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080151610: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 > 0x000080151620: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 > 0x000080151630: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 00 > 0x000080151640: 00 00 03 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Contiguous container OOB:fc > ASan internal: fe > Thread T8 ([ET_NET 7]) created by T0 ([ET_NET 0]) here: > #0 0x7ff14562786a in __interceptor_pthread_create > ../../.././libsanitizer/asan/asan_interceptors.cc:183 > #1 0xa2113e in ink_thread_create ../../lib/ts/ink_thread.h:150 > #2 0xa217eb in Thread::start(char const*, unsigned long, void* > (*)(void*), void*) > /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101 > #3 0xa26d03 in EventProcessor::start(int, unsigned long) > /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140 > #4 0x5942ff in main /usr/local/src/trafficserver/proxy/Main.cc:1624 > #5 0x7ff142554af4 in __libc_start_main (/lib64/libc.so.6+0x21af4) > ==15480==ABORTING > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)