Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
5.3.0
-
None
-
None
Description
From ASAN:
==2681==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002785f4 at pc 0x7d9fc2 bp 0x2b9286cae7f0 sp 0x2b9286cae7e8 READ of size 1 at 0x6110002785f4 thread T4 ([ET_NET 3]) #0 0x7d9fc1 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:332 #1 0x7d9fc1 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248 #2 0x4f2258 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145 #3 0x4f2258 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:254 #4 0x4f54aa in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:520 #5 0x5a0907 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145 #6 0x5a0907 in PluginVC::process_write_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:509 #7 0x5ab4fd in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:208 #8 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145 #9 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 #10 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179 #11 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85 #12 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4) #13 0x2b92811e11ac in __clone (/lib64/libc.so.6+0xf61ac) 0x6110002785f4 is located 52 bytes inside of 224-byte region [0x6110002785c0,0x6110002786a0) freed by thread T4 ([ET_NET 3]) here: #0 0x2b927d5771c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x7e02a3 in ClassAllocator<SpdyRequest>::free(SpdyRequest*) ../../lib/ts/Allocator.h:134 #2 0x7e02a3 in SpdyClientSession::cleanup_request(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.h:137 #3 0x7e02a3 in spdy_prepare_status_response_and_clean_request(SpdyClientSession*, int, char const*) /usr/local/src/trafficserver/proxy/spdy/SpdyCall backs.cc:85 #4 0x7d8ef4 in spdy_process_fetch /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:347 #5 0x7d8ef4 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:248 #6 0x4f2be5 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145 #7 0x4f2be5 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:263 #8 0x4f3dfa in FetchSM::process_fetch_read(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:469 #9 0x4f5492 in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:518 #10 0x59f247 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:145 #11 0x59f247 in PluginVC::process_read_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:629 #12 0x5abd79 in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:204 #13 0xc859fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145 #14 0xc859fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128 #15 0xc87669 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179 #16 0xc84618 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85 #17 0x2b927f978df4 in start_thread (/lib64/libpthread.so.0+0x7df4) previously allocated by thread T4 ([ET_NET 3]) here: #0 0x2b927d57793b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130 #1 0x2b927e4612d9 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:96 #2 0x2b927e461b90 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:243 #3 0x7e082a in ClassAllocator<SpdyRequest>::alloc() ../../lib/ts/Allocator.h:120 #4 0x7e082a in spdy_on_ctrl_recv_callback(spdylay_session*, spdylay_frame_type, spdylay_frame*, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:312 #5 0x2b927f11303f in spdylay_session_call_on_ctrl_frame_received /admin/src/spdylay/lib/spdylay_session.c:1634 #6 0x2b927f11303f in spdylay_session_on_syn_stream_received /admin/src/spdylay/lib/spdylay_session.c:1782 #7 0x5693900000193 Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here: #0 0x2b927d54686a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183 #1 0xc852a5 in ink_thread_create ../../lib/ts/ink_thread.h:150 #2 0xc852a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100 #3 0xc8d826 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140 #4 0x499003 in main /usr/local/src/trafficserver/proxy/Main.cc:1647 #5 0x2b928110caf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
Attachments
Issue Links
- is duplicated by
-
TS-3378 SpdyRequest used after free()
- Closed