[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683340#comment-13683340 ] ASF subversion and git services commented on TS-1923: - Commit 9f8195f443e1e16862cbb7abc0497ec64dafd025 in branch refs/heads/3.2.x from [~yunkai] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=9f8195f ] TS-1923: Fix resolve_logfield_string() When bytes_resolved is 0, we should free result directly, or it will return the not-null result to the caller with the strlen(result) is 0, which will lead to ATS crash. Signed-off-by: Yunkai Zhang Signed-off-by: Zhao Yongming Conflicts: CHANGES test/review: igalic, sorber, zwoop backport: igalic > 3.2.x - Fix resolve_logfield_string() > - > > Key: TS-1923 > URL: https://issues.apache.org/jira/browse/TS-1923 > Project: Traffic Server > Issue Type: Bug > Components: Core >Affects Versions: 3.2.4 >Reporter: Yunkai Zhang >Assignee: Igor Galić > Fix For: 3.2.5 > > Attachments: 0001-Fix-resolve_logfield_string.patch > > > When ATS receives a malicious request which URL is too long to hold by > internal_msg_buffer, the internal_msg_buffer_size might be set to 0. > As a result, the appended memory which allocated by ats_malloc() would > be mistaken for the memory from ink_freelist, and would be free to > ink_freelist finally. > As this memory is larger than the one in ink_freelist, and all memory in > the origin ink_freelist would not be reclaimed, so it wouldn't cause > segment-fault, that is why we didn't notice it in the past. > But after we use reclaimabe-freelist, this bug would cause segment-fault > when use it to get inner meta-data or free it back to OS by unmmap(). > === > Now, we found the root cause which would lead to internal_msg_buffer_size to 0 > while internal_msg_buffer is NOT NULL. > That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683341#comment-13683341 ] ASF subversion and git services commented on TS-1923: - Commit 71bbb07c79b2c2e6cb554473dd57caf25b88bb64 in branch refs/heads/3.2.x from [~i.galic] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=71bbb07 ] promote TS-1923 > 3.2.x - Fix resolve_logfield_string() > - > > Key: TS-1923 > URL: https://issues.apache.org/jira/browse/TS-1923 > Project: Traffic Server > Issue Type: Bug > Components: Core >Affects Versions: 3.2.4 >Reporter: Yunkai Zhang >Assignee: Igor Galić > Fix For: 3.2.5 > > Attachments: 0001-Fix-resolve_logfield_string.patch > > > When ATS receives a malicious request which URL is too long to hold by > internal_msg_buffer, the internal_msg_buffer_size might be set to 0. > As a result, the appended memory which allocated by ats_malloc() would > be mistaken for the memory from ink_freelist, and would be free to > ink_freelist finally. > As this memory is larger than the one in ink_freelist, and all memory in > the origin ink_freelist would not be reclaimed, so it wouldn't cause > segment-fault, that is why we didn't notice it in the past. > But after we use reclaimabe-freelist, this bug would cause segment-fault > when use it to get inner meta-data or free it back to OS by unmmap(). > === > Now, we found the root cause which would lead to internal_msg_buffer_size to 0 > while internal_msg_buffer is NOT NULL. > That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13672281#comment-13672281 ] ASF subversion and git services commented on TS-1923: - Commit 325aa13e1be53dacb76b0162d1242539837c627c in branch refs/heads/3.2.x from [~zwoop] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=325aa13 ] Voted on TS-1923. > 3.2.x - Fix resolve_logfield_string() > - > > Key: TS-1923 > URL: https://issues.apache.org/jira/browse/TS-1923 > Project: Traffic Server > Issue Type: Bug > Components: Core >Affects Versions: 3.2.4 >Reporter: Yunkai Zhang >Assignee: Igor Galić > Fix For: 3.2.5 > > Attachments: 0001-Fix-resolve_logfield_string.patch > > > When ATS receives a malicious request which URL is too long to hold by > internal_msg_buffer, the internal_msg_buffer_size might be set to 0. > As a result, the appended memory which allocated by ats_malloc() would > be mistaken for the memory from ink_freelist, and would be free to > ink_freelist finally. > As this memory is larger than the one in ink_freelist, and all memory in > the origin ink_freelist would not be reclaimed, so it wouldn't cause > segment-fault, that is why we didn't notice it in the past. > But after we use reclaimabe-freelist, this bug would cause segment-fault > when use it to get inner meta-data or free it back to OS by unmmap(). > === > Now, we found the root cause which would lead to internal_msg_buffer_size to 0 > while internal_msg_buffer is NOT NULL. > That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13670849#comment-13670849 ] ASF subversion and git services commented on TS-1923: - Commit d23afdaf8b6310daf2fb3a9715f979b42da8d17e in branch refs/heads/3.2.x from [~psudaemon] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=d23afda ] Voted on TS-1923 > 3.2.x - Fix resolve_logfield_string() > - > > Key: TS-1923 > URL: https://issues.apache.org/jira/browse/TS-1923 > Project: Traffic Server > Issue Type: Bug > Components: Core >Affects Versions: 3.2.4 >Reporter: Yunkai Zhang >Assignee: Igor Galić > Fix For: 3.2.5 > > Attachments: 0001-Fix-resolve_logfield_string.patch > > > When ATS receives a malicious request which URL is too long to hold by > internal_msg_buffer, the internal_msg_buffer_size might be set to 0. > As a result, the appended memory which allocated by ats_malloc() would > be mistaken for the memory from ink_freelist, and would be free to > ink_freelist finally. > As this memory is larger than the one in ink_freelist, and all memory in > the origin ink_freelist would not be reclaimed, so it wouldn't cause > segment-fault, that is why we didn't notice it in the past. > But after we use reclaimabe-freelist, this bug would cause segment-fault > when use it to get inner meta-data or free it back to OS by unmmap(). > === > Now, we found the root cause which would lead to internal_msg_buffer_size to 0 > while internal_msg_buffer is NOT NULL. > That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
