[ https://issues.apache.org/jira/browse/TS-3359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Geffon resolved TS-3359. ------------------------------ Resolution: Fixed > Use after free: Tunnel destroyed without updating HttpSM > -------------------------------------------------------- > > Key: TS-3359 > URL: https://issues.apache.org/jira/browse/TS-3359 > Project: Traffic Server > Issue Type: Bug > Components: Core > Reporter: Brian Geffon > Assignee: Brian Geffon > Fix For: 5.3.0 > > > In HttpSM there is a member called ua_session which is a HttpClientSession. > When chain_abort_all() is called in HttpSM::tunnel_handler_server on the > is_http_server_eos_truncation() case it causes this client session to be > destroyed but it is later referenced in HttpSM::tunnel_handler_server. > Typically this object will be on the freelist and it will happily address the > memory; however, under high loads this will obviously lead to issues. This > was detected by disabling freelist and using address sanitizer. The patch > will be attached. -- This message was sent by Atlassian JIRA (v6.3.4#6332)