Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't assume LogAccess::m_client_req_unmapped_url_canon_str is null terminated. #11305

Merged
merged 1 commit into from
Jun 3, 2024
Merged

Don't assume LogAccess::m_client_req_unmapped_url_canon_str is null terminated. #11305

merged 1 commit into from
Jun 3, 2024

Conversation

ywkaras
Copy link
Contributor

@ywkaras ywkaras commented Apr 30, 2024

In this code:

trafficserver/src/proxy/logging/LogAccess.cc

Line 1591 in ff100f4

char *unmapped_url = m_http_sm->t_state.unmapped_url.string_get_ref(&unmapped_url_len);

if the unmapped URL has nothing to escape, m_client_req_unmapped_url_canon_str will retain the value returned by string_get_ref().

string_get_ref() is a wrapper for url_string_get_ref():

trafficserver/include/proxy/hdrs/URL.h

Line 468 in ff100f4

URL::string_get_ref(int *length, unsigned normalization_flags) const

In this case, there is no apparent null termination:

trafficserver/src/proxy/hdrs/URL.cc

Line 631 in ff100f4

return const_cast<char *>(url->m_ptr_printed_string);

It looks like this is how the terminal null can be lost on m_ptr_printed_string:

trafficserver/src/proxy/hdrs/URL.cc

Line 360 in ff100f4

m_ptr_printed_string = new_heap->localize({m_ptr_printed_string, m_len_printed_string}).data();

trafficserver/include/proxy/hdrs/HdrHeap.h

Line 255 in e0620eb

char *new_str = this->allocate_str(length);

@ywkaras
Don't assume LogAccess::m_client_req_unmapped_url_canon_str is null t…
1ab7ef6 
…erminated. (apache#936)

In this code:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/logging/LogAccess.cc#L1591

if the unmapped URL has nothing to escape, m_client_req_unmapped_url_canon_str
will retain the value returned by string_get_ref().

string_get_ref() is a wrapper for url_string_get_ref():

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/include/proxy/hdrs/URL.h#L468

In this case, there is no apparent null termination:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/hdrs/URL.cc#L631

It looks like this is how the terminal null can be lost on m_ptr_printed_string:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/hdrs/URL.cc#L360
https://github.com/apache/trafficserver/blob/e0620eb941eab2603b2c230366e0fae5eeb6b57d/include/proxy/hdrs/HdrHeap.h#L255
@ywkaras ywkaras self-assigned this Apr 30, 2024
@ywkaras ywkaras added this to the 10.1.0 milestone Apr 30, 2024
@ywkaras ywkaras added this to In progress in 9.1.x Branch and Release via automation Apr 30, 2024
@ywkaras ywkaras added this to In progress in 9.2.x Branch and Release via automation Apr 30, 2024
@ywkaras
Copy link
Contributor Author

ywkaras commented Apr 30, 2024

This change has been running in Yahoo prod for about two weeks. It stopped memory corruption that was previously causing frequent crashes.

bneradt
bneradt reviewed May 2, 2024
View reviewed changes
Copy link
Contributor

@bneradt bneradt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm: this has worked well for Yahoo and has fixed a pretty bad crash.

@maskit
Copy link
Member

maskit commented May 3, 2024

Other functions around this function use ink_strlcpy. Doing a different thing just for this case doesn't look like a right way. Can the other functions have similar issue and need similar changes? Did you consider ensuring the string is null terminated?

@ywkaras
Copy link
Contributor Author

ywkaras commented May 3, 2024

Other functions around this function use ink_strlcpy. Doing a different thing just for this case doesn't look like a right way. Can the other functions have similar issue and need similar changes? Did you consider ensuring the string is null terminated?

This is a one-line, low-risk fix to a crash. If there is a better fix, it can be put in later. How does it make sense to put out release 10 with a bug, because it's possible there is a better fix for the bug? The clean fix is to consistently use null terminated strings, or strring_view. I don' t have time to do that currently, especially if we don't want to delay release 10.

@maskit
Copy link
Member

maskit commented May 3, 2024

If you think the clean fix is different from this change, why don't you leave a note? How could I know this is a compromise?

Also, I don't think we will have this on 9.1.x.

@ywkaras
Copy link
Contributor Author

ywkaras commented May 3, 2024

Why would we want to leave the crash in 9.x?

@maskit
Copy link
Member

maskit commented May 3, 2024

I said 9.1.x.

image

@ywkaras
Copy link
Contributor Author

ywkaras commented May 3, 2024

Is 9.1.x no longer supported (with maintenance releases)?

@bryancall bryancall requested a review from moonchen May 20, 2024 22:29
@moonchen
Copy link
Contributor

moonchen commented Jun 3, 2024

The code is quite conflicted about whether this string should be null-terminated or not. There are places where the length from url_string_get_ref is ignored, and others where the null terminator is ignored, like HDR_MOVE_STR. For now I think this PR is doing the safer thing.

9.1.x Branch and Release automation moved this from In progress to Ready to Merge Jun 3, 2024
9.2.x Branch and Release automation moved this from In progress to Ready to Merge Jun 3, 2024
@ywkaras ywkaras merged commit 89cdda7 into apache:master Jun 3, 2024
15 checks passed
9.1.x Branch and Release automation moved this from Ready to Merge to For 9.1.3 Jun 3, 2024
@cmcfarlen cmcfarlen modified the milestones: 10.1.0, 10.0.0 Jun 5, 2024
@cmcfarlen
Copy link
Contributor

Cherry-picked to v10.0.x

cmcfarlen pushed a commit that referenced this pull request Jun 5, 2024
@ywkaras @cmcfarlen
Don't assume LogAccess::m_client_req_unmapped_url_canon_str is null t…
37a1bf9 
…erminated. (#936) (#11305)

In this code:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/logging/LogAccess.cc#L1591

if the unmapped URL has nothing to escape, m_client_req_unmapped_url_canon_str
will retain the value returned by string_get_ref().

string_get_ref() is a wrapper for url_string_get_ref():

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/include/proxy/hdrs/URL.h#L468

In this case, there is no apparent null termination:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/hdrs/URL.cc#L631

It looks like this is how the terminal null can be lost on m_ptr_printed_string:

https://github.com/apache/trafficserver/blob/ff100f4f5ce69a00e3f3093f202d5f1aa9bb2ee5/src/proxy/hdrs/URL.cc#L360
https://github.com/apache/trafficserver/blob/e0620eb941eab2603b2c230366e0fae5eeb6b57d/include/proxy/hdrs/HdrHeap.h#L255
(cherry picked from commit 89cdda7)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bneradt bneradt bneradt left review comments

@moonchen moonchen moonchen approved these changes

Assignees

@ywkaras ywkaras

Labels
Bug Logging
Projects
9.1.x Branch and Release
  
For 9.1.3
9.2.x Branch and Release
  
Ready to Merge
ATS v10.0.x
Status: picked-10.0.0
Milestone
10.0.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ywkaras @maskit @moonchen @cmcfarlen @bneradt