Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-1913

Fix resolve_logfield_string()

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 3.3.4
    • Core
    • None

    Description

      When ATS receives a malicious request which URL is too long to hold by
      internal_msg_buffer, the internal_msg_buffer_size might be set to 0.

      As a result, the appended memory which allocated by ats_malloc() would
      be mistaken for the memory from ink_freelist, and would be free to
      ink_freelist finally.

      As this memory is larger than the one in ink_freelist, and all memory in
      the origin ink_freelist would not be reclaimed, so it wouldn't cause
      segment-fault, that is why we didn't notice it in the past.

      But after we use reclaimabe-freelist, this bug would cause segment-fault
      when use it to get inner meta-data or free it back to OS by unmmap().

      ===
      Now, we found the root cause which would lead to internal_msg_buffer_size to 0
      while internal_msg_buffer is NOT NULL.

      That is resolve_logfiled_string() function. Let's fix it.

      Attachments

        Issue Links

          Activity

            People

              yunkai Yunkai Zhang
              yunkai Yunkai Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: