Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't assume LogAccess::m_client_req_unmapped_url_canon_str is null terminated. #11305

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Don't assume LogAccess::m_client_req_unmapped_url_canon_str is null terminated. #11305

wants to merge 1 commit into from

Conversation

ywkaras
Copy link
Contributor

@ywkaras ywkaras commented Apr 30, 2024

In this code:

trafficserver/src/proxy/logging/LogAccess.cc

Line 1591 in ff100f4

char *unmapped_url = m_http_sm->t_state.unmapped_url.string_get_ref(&unmapped_url_len);

if the unmapped URL has nothing to escape, m_client_req_unmapped_url_canon_str will retain the value returned by string_get_ref().

string_get_ref() is a wrapper for url_string_get_ref():

trafficserver/include/proxy/hdrs/URL.h

Line 468 in ff100f4

URL::string_get_ref(int *length, unsigned normalization_flags) const

In this case, there is no apparent null termination:

trafficserver/src/proxy/hdrs/URL.cc

Line 631 in ff100f4

return const_cast<char *>(url->m_ptr_printed_string);

It looks like this is how the terminal null can be lost on m_ptr_printed_string:

trafficserver/src/proxy/hdrs/URL.cc

Line 360 in ff100f4

m_ptr_printed_string = new_heap->localize({m_ptr_printed_string, m_len_printed_string}).data();

trafficserver/include/proxy/hdrs/HdrHeap.h

Line 255 in e0620eb

char *new_str = this->allocate_str(length);

@ywkaras
Don't assume LogAccess::m_client_req_unmapped_url_canon_str is null t…
1ab7ef6 
…erminated. (apache#936)

In this code:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/logging/LogAccess.cc#L1591

if the unmapped URL has nothing to escape, m_client_req_unmapped_url_canon_str
will retain the value returned by string_get_ref().

string_get_ref() is a wrapper for url_string_get_ref():

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/include/proxy/hdrs/URL.h#L468

In this case, there is no apparent null termination:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/hdrs/URL.cc#L631

It looks like this is how the terminal null can be lost on m_ptr_printed_string:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/hdrs/URL.cc#L360
https://github.com/apache/trafficserver/blob/e0620eb941eab2603b2c230366e0fae5eeb6b57d/include/proxy/hdrs/HdrHeap.h#L255
@ywkaras ywkaras self-assigned this Apr 30, 2024
@ywkaras ywkaras added this to the 10.1.0 milestone Apr 30, 2024
@ywkaras ywkaras added this to In progress in 9.1.x Branch and Release via automation Apr 30, 2024
@ywkaras ywkaras added this to In progress in 9.2.x Branch and Release via automation Apr 30, 2024
@ywkaras
Copy link
Contributor Author

ywkaras commented Apr 30, 2024

This change has been running in Yahoo prod for about two weeks. It stopped memory corruption that was previously causing frequent crashes.

bneradt
bneradt reviewed May 2, 2024
View reviewed changes
Copy link
Contributor

@bneradt bneradt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm: this has worked well for Yahoo and has fixed a pretty bad crash.

@maskit
Copy link
Member

maskit commented May 3, 2024

Other functions around this function use ink_strlcpy. Doing a different thing just for this case doesn't look like a right way. Can the other functions have similar issue and need similar changes? Did you consider ensuring the string is null terminated?

@ywkaras
Copy link
Contributor Author

ywkaras commented May 3, 2024

Other functions around this function use ink_strlcpy. Doing a different thing just for this case doesn't look like a right way. Can the other functions have similar issue and need similar changes? Did you consider ensuring the string is null terminated?

This is a one-line, low-risk fix to a crash. If there is a better fix, it can be put in later. How does it make sense to put out release 10 with a bug, because it's possible there is a better fix for the bug? The clean fix is to consistently use null terminated strings, or strring_view. I don' t have time to do that currently, especially if we don't want to delay release 10.

@maskit
Copy link
Member

maskit commented May 3, 2024

If you think the clean fix is different from this change, why don't you leave a note? How could I know this is a compromise?

Also, I don't think we will have this on 9.1.x.

@ywkaras
Copy link
Contributor Author

ywkaras commented May 3, 2024

Why would we want to leave the crash in 9.x?

@maskit
Copy link
Member

maskit commented May 3, 2024

I said 9.1.x.

image

@ywkaras
Copy link
Contributor Author

ywkaras commented May 3, 2024

Is 9.1.x no longer supported (with maintenance releases)?

@bryancall bryancall requested a review from moonchen May 20, 2024 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bneradt bneradt bneradt left review comments

@moonchen moonchen Awaiting requested review from moonchen

At least 1 approving review is required to merge this pull request.

Assignees

@ywkaras ywkaras

Labels
Bug Logging
Projects
9.1.x Branch and Release
  
In progress
9.2.x Branch and Release
  
In progress
ATS v10.0.x
Status: No status
Milestone
10.1.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ywkaras @maskit @bneradt