[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13683341#comment-13683341 ] ASF subversion and git services commented on TS-1923: - Commit 71bbb07c79b2c2e6cb554473dd57caf25b88bb64 in branch refs/heads/3.2.x from [~i.galic] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=71bbb07 ] promote TS-1923 3.2.x - Fix resolve_logfield_string() - Key: TS-1923 URL: https://issues.apache.org/jira/browse/TS-1923 Project: Traffic Server Issue Type: Bug Components: Core Affects Versions: 3.2.4 Reporter: Yunkai Zhang Assignee: Igor Galić Fix For: 3.2.5 Attachments: 0001-Fix-resolve_logfield_string.patch When ATS receives a malicious request which URL is too long to hold by internal_msg_buffer, the internal_msg_buffer_size might be set to 0. As a result, the appended memory which allocated by ats_malloc() would be mistaken for the memory from ink_freelist, and would be free to ink_freelist finally. As this memory is larger than the one in ink_freelist, and all memory in the origin ink_freelist would not be reclaimed, so it wouldn't cause segment-fault, that is why we didn't notice it in the past. But after we use reclaimabe-freelist, this bug would cause segment-fault when use it to get inner meta-data or free it back to OS by unmmap(). === Now, we found the root cause which would lead to internal_msg_buffer_size to 0 while internal_msg_buffer is NOT NULL. That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13683340#comment-13683340 ] ASF subversion and git services commented on TS-1923: - Commit 9f8195f443e1e16862cbb7abc0497ec64dafd025 in branch refs/heads/3.2.x from [~yunkai] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=9f8195f ] TS-1923: Fix resolve_logfield_string() When bytes_resolved is 0, we should free result directly, or it will return the not-null result to the caller with the strlen(result) is 0, which will lead to ATS crash. Signed-off-by: Yunkai Zhang qiushu@taobao.com Signed-off-by: Zhao Yongming ming@gmail.com Conflicts: CHANGES test/review: igalic, sorber, zwoop backport: igalic 3.2.x - Fix resolve_logfield_string() - Key: TS-1923 URL: https://issues.apache.org/jira/browse/TS-1923 Project: Traffic Server Issue Type: Bug Components: Core Affects Versions: 3.2.4 Reporter: Yunkai Zhang Assignee: Igor Galić Fix For: 3.2.5 Attachments: 0001-Fix-resolve_logfield_string.patch When ATS receives a malicious request which URL is too long to hold by internal_msg_buffer, the internal_msg_buffer_size might be set to 0. As a result, the appended memory which allocated by ats_malloc() would be mistaken for the memory from ink_freelist, and would be free to ink_freelist finally. As this memory is larger than the one in ink_freelist, and all memory in the origin ink_freelist would not be reclaimed, so it wouldn't cause segment-fault, that is why we didn't notice it in the past. But after we use reclaimabe-freelist, this bug would cause segment-fault when use it to get inner meta-data or free it back to OS by unmmap(). === Now, we found the root cause which would lead to internal_msg_buffer_size to 0 while internal_msg_buffer is NOT NULL. That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13672281#comment-13672281 ] ASF subversion and git services commented on TS-1923: - Commit 325aa13e1be53dacb76b0162d1242539837c627c in branch refs/heads/3.2.x from [~zwoop] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=325aa13 ] Voted on TS-1923. 3.2.x - Fix resolve_logfield_string() - Key: TS-1923 URL: https://issues.apache.org/jira/browse/TS-1923 Project: Traffic Server Issue Type: Bug Components: Core Affects Versions: 3.2.4 Reporter: Yunkai Zhang Assignee: Igor Galić Fix For: 3.2.5 Attachments: 0001-Fix-resolve_logfield_string.patch When ATS receives a malicious request which URL is too long to hold by internal_msg_buffer, the internal_msg_buffer_size might be set to 0. As a result, the appended memory which allocated by ats_malloc() would be mistaken for the memory from ink_freelist, and would be free to ink_freelist finally. As this memory is larger than the one in ink_freelist, and all memory in the origin ink_freelist would not be reclaimed, so it wouldn't cause segment-fault, that is why we didn't notice it in the past. But after we use reclaimabe-freelist, this bug would cause segment-fault when use it to get inner meta-data or free it back to OS by unmmap(). === Now, we found the root cause which would lead to internal_msg_buffer_size to 0 while internal_msg_buffer is NOT NULL. That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1923) 3.2.x - Fix resolve_logfield_string()
[ https://issues.apache.org/jira/browse/TS-1923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13670849#comment-13670849 ] ASF subversion and git services commented on TS-1923: - Commit d23afdaf8b6310daf2fb3a9715f979b42da8d17e in branch refs/heads/3.2.x from [~psudaemon] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=d23afda ] Voted on TS-1923 3.2.x - Fix resolve_logfield_string() - Key: TS-1923 URL: https://issues.apache.org/jira/browse/TS-1923 Project: Traffic Server Issue Type: Bug Components: Core Affects Versions: 3.2.4 Reporter: Yunkai Zhang Assignee: Igor Galić Fix For: 3.2.5 Attachments: 0001-Fix-resolve_logfield_string.patch When ATS receives a malicious request which URL is too long to hold by internal_msg_buffer, the internal_msg_buffer_size might be set to 0. As a result, the appended memory which allocated by ats_malloc() would be mistaken for the memory from ink_freelist, and would be free to ink_freelist finally. As this memory is larger than the one in ink_freelist, and all memory in the origin ink_freelist would not be reclaimed, so it wouldn't cause segment-fault, that is why we didn't notice it in the past. But after we use reclaimabe-freelist, this bug would cause segment-fault when use it to get inner meta-data or free it back to OS by unmmap(). === Now, we found the root cause which would lead to internal_msg_buffer_size to 0 while internal_msg_buffer is NOT NULL. That is resolve_logfiled_string() function. Let's fix it. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
