Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3633

SPDY memory use after free

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 5.3.0
    • None
    • SPDY
    • None

    Description

      From ASAN:

      ==2681==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002785f4 at pc 0x7d9fc2 bp 0x2b9286cae7f0 sp 0x2b9286cae7e8
      READ of size 1 at 0x6110002785f4 thread T4 ([ET_NET 3])
          #0 0x7d9fc1 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:332
          #1 0x7d9fc1 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
          #2 0x4f2258 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
          #3 0x4f2258 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:254
          #4 0x4f54aa in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:520
          #5 0x5a0907 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
          #6 0x5a0907 in PluginVC::process_write_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:509
          #7 0x5ab4fd in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:208
          #8 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
          #9 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
          #10 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
          #11 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
          #12 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
          #13 0x2b92811e11ac in __clone (/lib64/libc.so.6+0xf61ac)
      
      0x6110002785f4 is located 52 bytes inside of 224-byte region [0x6110002785c0,0x6110002786a0)
      freed by thread T4 ([ET_NET 3]) here:
          #0 0x2b927d5771c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
          #1 0x7e02a3 in ClassAllocator<SpdyRequest>::free(SpdyRequest*) ../../lib/ts/Allocator.h:134
          #2 0x7e02a3 in SpdyClientSession::cleanup_request(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.h:137
          #3 0x7e02a3 in spdy_prepare_status_response_and_clean_request(SpdyClientSession*, int, char const*) /usr/local/src/trafficserver/proxy/spdy/SpdyCall
      backs.cc:85
          #4 0x7d8ef4 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:347
          #5 0x7d8ef4 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248
          #6 0x4f2be5 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
          #7 0x4f2be5 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:263
          #8 0x4f3dfa in FetchSM::process_fetch_read(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:469
          #9 0x4f5492 in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:518
          #10 0x59f247 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145
          #11 0x59f247 in PluginVC::process_read_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:629
          #12 0x5abd79 in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:204
          #13 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
          #14 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
          #15 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
          #16 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
          #17 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
      
      previously allocated by thread T4 ([ET_NET 3]) here:
          #0 0x2b927d57793b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
          #1 0x2b927e4612d9 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:96
          #2 0x2b927e461b90 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:243
          #3 0x7e082a in ClassAllocator<SpdyRequest>::alloc() ../../lib/ts/Allocator.h:120
          #4 0x7e082a in spdy_on_ctrl_recv_callback(spdylay_session*, spdylay_frame_type, spdylay_frame*, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:312
          #5 0x2b927f11303f in spdylay_session_call_on_ctrl_frame_received /admin/src/spdylay/lib/spdylay_session.c:1634
          #6 0x2b927f11303f in spdylay_session_on_syn_stream_received /admin/src/spdylay/lib/spdylay_session.c:1782
          #7 0x5693900000193
      
      Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
          #0 0x2b927d54686a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
          #1 0xc852a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
          #2 0xc852a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
          #3 0xc8d826 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
          #4 0x499003 in main /usr/local/src/trafficserver/proxy/Main.cc:1647
          #5 0x2b928110caf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              zwoop Leif Hedstrom
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: