Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.1.0
-
None
-
Stock debian amd64 2.6.34.7 kernel modified to increase XEN domU max RAM to 96Gb
Stock build with:
./configure --enable-layout=Debian --sysconfdir=/etc/trafficserver --libdir=
/usr/lib/trafficserver --with-user=root --with-group=root --enable-debug --enabl
e-static-libts CFLAGS= CXXFLAGS= --enable-wccpStock debian amd64 2.6.34.7 kernel modified to increase XEN domU max RAM to 96Gb Stock build with: ./configure --enable-layout=Debian --sysconfdir=/etc/trafficserver --libdir= /usr/lib/trafficserver --with-user=root --with-group=root --enable-debug --enabl e-static-libts CFLAGS= CXXFLAGS= --enable-wccp
Description
iocore/CacheWrite.cc:Vol::evac_range calculates its looping values from 64bit off_t values but stores them in 32bit integers:
int Vol::evac_range(off_t low, off_t high, int evac_phase) { int s = offset_to_vol_offset(this, low); int e = offset_to_vol_offset(this, high); int si = dir_offset_evac_bucket(s); int ei = dir_offset_evac_bucket(e);
When Vol::start and/or the low high parameters get large enough these loop values become truncated and potentially negative causing a general protection fault as it attempts to access memory addresses below the valid range.