search

apache / trafficserver

Apache Traffic Server™ is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server.
https://trafficserver.apache.org/
Apache License 2.0
1.81k stars 802 forks source link

QUIC: ASan: heap-buffer-overflow #3213

Closed masaori335 closed 5 years ago

masaori335 commented 6 years ago 
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICFrameDispatcher.cc:61 (receive_frame> (quic_frame_handler)        Received STREAM frame, size 63
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICStream.cc:318 (recv)>                 (quic_flow_ctrl)            [1c9937877d7a7c14] [0] [OPEN] [LOCAL] 330/2320
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICStream.cc:293 (_write_to_read_vio)>   (quic_flow_ctrl)            [1c9937877d7a7c14] [0] [OPEN] [LOCAL] 330/2378
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICHandshake.cc:347 (state_auth)>        (quic_handshake)            [1c9937877d7a7c14] VC_EVENT_READ_READY (100)
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICHandshake.cc:572 (_complete_handshak> (quic_handshake)            [1c9937877d7a7c14] Enter state_complete
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICHandshake.cc:574 (_complete_handshak> (quic_handshake)            [1c9937877d7a7c14] TLS13-AES-128-GCM-SHA256
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICTLS.cc:175 (update_key_materials)>    (vv_quic_crypto)            client key 0x59FEB52695DC11CAD7891D847BD27161
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICTLS.cc:177 (update_key_materials)>    (vv_quic_crypto)            client iv 0x5564413AED9A0E2AC59998E2
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICTLS.cc:183 (update_key_materials)>    (vv_quic_crypto)            server key 0x29552FFD0234E041D21E207001518BA1
[Mar  2 01:56:02.510] Server {0x7ff319083700} DEBUG: <QUICTLS.cc:185 (update_key_materials)>    (vv_quic_crypto)            server iv 0xF1797F3C2C444BB7F2AE672E
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICHandshake.cc:578 (_complete_handshak> (quic_handshake)            [1c9937877d7a7c14] Keying Materials are exported
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:262 (reenable)>             (quic_stream)               [1c9937877d7a7c14] [0] [OPEN] write_vio reenabled
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:488 (_process_write_vio)>   (quic_flow_ctrl)            [1c9937877d7a7c14] [0] [OPEN] [REMOTE] 2139/0
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:404 (_transmit_fra> (quic_net)                  [1c9937877d7a7c14] Frame Type=STREAM Size=230
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:1209 (_schedule_pa> (quic_net)                  [1c9937877d7a7c14] Schedule QUIC_EVENT_PACKET_WRITE_READY event
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICHandshake.cc:385 (state_complete)>    (quic_handshake)            [1c9937877d7a7c14] VC_EVENT_WRITE_READY (101)
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICHandshake.cc:386 (state_complete)>    (quic_handshake)            [1c9937877d7a7c14] Got an event on complete state. Ignoring it for now.
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:424 (_signal_write_event)>  (quic_stream)               [1c9937877d7a7c14] [0] [OPEN] VC_EVENT_WRITE_READY (101)
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:402 (_signal_read_event)>   (quic_stream)               [1c9937877d7a7c14] [0] [OPEN] VC_EVENT_READ_READY (100)
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:1044 (_recv_and_ac> (quic_flow_ctrl)            Connection [1c9937877d7a7c14] [LOCAL] 0/0
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:75 (init_flow_control_para> (quic_flow_ctrl)            [1c9937877d7a7c14] [0] [OPEN] [LOCAL] 330/2378
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:77 (init_flow_control_para> (quic_flow_ctrl)            [1c9937877d7a7c14] [0] [OPEN] [REMOTE] 2139/66560
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:1117 (_init_flow_c> (quic_flow_ctrl)            Connection [1c9937877d7a7c14] [LOCAL] 0/134217728
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:1120 (_init_flow_c> (quic_flow_ctrl)            Connection [1c9937877d7a7c14] [REMOTE] 0/1073741824
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <HQSessionAccept.cc:57 (accept)>           (quic_seq)                  [1c9937877d7a7c14] accepted connection from 34.218.64.203:51504 transport type = 6
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:1304 (_switch_to_e> (quic_net)                  [1c9937877d7a7c14] Enter state_connection_established
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:404 (_transmit_fra> (quic_net)                  [1c9937877d7a7c14] Frame Type=NEW_CONNECTION_ID Size=26
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:404 (_transmit_fra> (quic_net)                  [1c9937877d7a7c14] Frame Type=NEW_CONNECTION_ID Size=26
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:404 (_transmit_fra> (quic_net)                  [1c9937877d7a7c14] Frame Type=NEW_CONNECTION_ID Size=26
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICNetVConnection.cc:1195 (_dequeue_rec> (quic_net)                  [1c9937877d7a7c14] type=PROTECTED pkt_num=4 size=133
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICFrameDispatcher.cc:61 (receive_frame> (quic_frame_handler)        Received ACK frame, size 12
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICLossDetector.cc:178 (_on_ack_receive> (quic_loss_detector)        [1c9937877d7a7c14] Unacked packets 2 (retransmittable 2, includes 2 handshake packets)
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICLossDetector.cc:189 (_on_ack_receive> (quic_loss_detector)        [1c9937877d7a7c14] Unacked packets 0 (retransmittable 0, includes 0 handshake packets)
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICLossDetector.cc:194 (_on_ack_receive> (quic_loss_detector)        [1c9937877d7a7c14] Unacked packets 0 (retransmittable 0, includes 0 handshake packets)
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICLossDetector.cc:252 (_set_loss_detec> (quic_loss_detector)        [1c9937877d7a7c14] Loss detection alarm has been unset
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICFrameDispatcher.cc:61 (receive_frame> (quic_frame_handler)        Received STREAM frame, size 92
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:75 (init_flow_control_para> (quic_flow_ctrl)            [1c9937877d7a7c14] [4] [IDLE] [LOCAL] 0/2048
[Mar  2 01:56:02.511] Server {0x7ff319083700} DEBUG: <QUICStream.cc:77 (init_flow_control_para> (quic_flow_ctrl)            [1c9937877d7a7c14] [4] [IDLE] [REMOTE] 0/66560
[Mar  2 01:56:02.512] Server {0x7ff319083700} DEBUG: <QUICStream.cc:318 (recv)>                 (quic_flow_ctrl)            [1c9937877d7a7c14] [4] [IDLE] [LOCAL] 88/2048
[Mar  2 01:56:02.512] Server {0x7ff319083700} DEBUG: <QUICStream.cc:293 (_write_to_read_vio)>   (quic_flow_ctrl)            [1c9937877d7a7c14] [4] [IDLE] [LOCAL] 88/2136
[Mar  2 01:56:02.512] Server {0x7ff319083700} DEBUG: <QUICSimpleApp.cc:58 (main_event_handler)> (quic_simple_app)           [1c9937877d7a7c14] VC_EVENT_READ_READY (100)
=================================================================
==1931==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000061fff at pc 0x000000971525 bp 0x7ff3190800d0 sp 0x7ff3190800c0
WRITE of size 1 at 0x625000061fff thread T8 ([ET_NET 6])
    #0 0x971524 in mime_scanner_get(MIMEScanner*, char const**, char const*, char const**, char const**, bool*, bool, int) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:2446
    #1 0x971cee in mime_parser_parse(MIMEParser*, HdrHeap*, MIMEHdrImpl*, char const**, char const*, bool, bool) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:2572
    #2 0x94d9e4 in http_parser_parse_req(HTTPParser*, HdrHeap*, HTTPHdrImpl*, char const**, char const*, bool, bool, bool) /usr/local/src/trafficserver/proxy/hdrs/HTTP.cc:1120
    #3 0x95e42d in HTTPHdr::parse_req(HTTPParser*, IOBufferReader*, int*, bool, bool) /usr/local/src/trafficserver/proxy/hdrs/HdrTSOnly.cc:74
    #4 0x73a73d in HttpSM::state_read_client_request_header(int, void*) /usr/local/src/trafficserver/proxy/http/HttpSM.cc:636
    #5 0x74fcfe in HttpSM::main_handler(int, void*) /usr/local/src/trafficserver/proxy/http/HttpSM.cc:2586
    #6 0x5dec7e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
    #7 0x738e3f in HttpSM::setup_client_read_request_header() /usr/local/src/trafficserver/proxy/http/HttpSM.cc:540
    #8 0x74448a in HttpSM::handle_api_return() /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1585
    #9 0x7972df in HttpSM::do_api_callout() /usr/local/src/trafficserver/proxy/http/HttpSM.cc:349
    #10 0x737035 in HttpSM::state_add_to_list(int, void*) /usr/local/src/trafficserver/proxy/http/HttpSM.cc:375
    #11 0x738a47 in HttpSM::attach_client_session(ProxyClientTransaction*, IOBufferReader*) /usr/local/src/trafficserver/proxy/http/HttpSM.cc:520
    #12 0x66d340 in ProxyClientTransaction::new_transaction() /usr/local/src/trafficserver/proxy/ProxyClientTransaction.cc:60
    #13 0xac0c93 in QUICSimpleApp::main_event_handler(int, Event*) /usr/local/src/trafficserver/proxy/hq/QUICSimpleApp.cc:79
    #14 0x5dec7e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
    #15 0xbdf69c in QUICStream::_signal_read_event() /usr/local/src/trafficserver/iocore/net/quic/QUICStream.cc:397
    #16 0xbdec90 in QUICStream::recv(std::shared_ptr<QUICStreamFrame const>) /usr/local/src/trafficserver/iocore/net/quic/QUICStream.cc:335
    #17 0xbd589f in QUICStreamManager::_handle_frame(std::shared_ptr<QUICStreamFrame const> const&) /usr/local/src/trafficserver/iocore/net/quic/QUICStreamManager.cc:178
    #18 0xbd4d8d in QUICStreamManager::handle_frame(std::shared_ptr<QUICFrame const>) /usr/local/src/trafficserver/iocore/net/quic/QUICStreamManager.cc:126
    #19 0xbbdc61 in QUICFrameDispatcher::receive_frames(unsigned char const*, unsigned short, bool&) /usr/local/src/trafficserver/iocore/net/quic/QUICFrameDispatcher.cc:68
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:360 (retransmit_pa> (quic_net)                  [1019bdcd2f5f376e] Retransmit packet #111255671 type HANDSHAKE
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:404 (_transmit_fra> (quic_net)                  [1019bdcd2f5f376e] Frame Type=STREAM Size=1224
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:1209 (_schedule_pa> (quic_net)                  [1019bdcd2f5f376e] Schedule QUIC_EVENT_PACKET_WRITE_READY event
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:360 (retransmit_pa> (quic_net)                  [1019bdcd2f5f376e] Retransmit packet #111255672 type HANDSHAKE
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:404 (_transmit_fra> (quic_net)                  [1019bdcd2f5f376e] Frame Type=STREAM Size=701
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICLossDetector.cc:327 (_on_loss_detect> (quic_loss_detector)        [1019bdcd2f5f376e] Unacked packets 0 (retransmittable 0, includes 0 handshake packets)
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICLossDetector.cc:252 (_set_loss_detec> (quic_loss_detector)        [1019bdcd2f5f376e] Loss detection alarm has been unset
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:942 (_store_frame)> (quic_net)                  [1019bdcd2f5f376e] type=STREAM
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:342 (_transmit_pac> (quic_net)                  [1019bdcd2f5f376e] Packet Number=111255673 Type=HANDSHAKE Size=1257
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:942 (_store_frame)> (quic_net)                  [1019bdcd2f5f376e] type=STREAM
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICNetVConnection.cc:342 (_transmit_pac> (quic_net)                  [1019bdcd2f5f376e] Packet Number=111255674 Type=HANDSHAKE Size=734
[Mar  2 01:56:02.622] Server {0x7ff319f31700} DEBUG: <QUICPacketHandler.cc:76 (_send_packet)>   (quic_sec)                  [1019bdcd2f5f376e] send HANDSHAKE packet to 34.218.64.203:51504, size=1257
[Mar  2 01:56:02.623] Server {0x7ff319f31700} DEBUG: <QUICLossDetector.cc:264 (_set_loss_detec> (quic_loss_detector)        [1019bdcd2f5f376e] Handshake retransmission alarm will be set
[Mar  2 01:56:02.623] Server {0x7ff319f31700} DEBUG: <QUICLossDetector.cc:294 (_set_loss_detec> (quic_loss_detector)        [1019bdcd2f5f376e] Loss detection alarm has been set to 400ms
[Mar  2 01:56:02.623] Server {0x7ff319f31700} DEBUG: <QUICPacketHandler.cc:76 (_send_packet)>   (quic_sec)                  [1019bdcd2f5f376e] send HANDSHAKE packet to 34.218.64.203:51504, size=734
[Mar  2 01:56:02.623] Server {0x7ff319f31700} DEBUG: <QUICLossDetector.cc:264 (_set_loss_detec> (quic_loss_detector)        [1019bdcd2f5f376e] Handshake retransmission alarm will be set
[Mar  2 01:56:02.623] Server {0x7ff319f31700} DEBUG: <QUICLossDetector.cc:294 (_set_loss_detec> (quic_loss_detector)        [1019bdcd2f5f376e] Loss detection alarm has been set to 400ms
    #20 0xb6aca8 in QUICNetVConnection::_recv_and_ack(unsigned char const*, unsigned short, unsigned long) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:1037
    #21 0xb67224 in QUICNetVConnection::_state_connection_established_process_packet(std::unique_ptr<QUICPacket, void (*)(QUICPacket*)>) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:821
    #22 0xb67a1a in QUICNetVConnection::_state_common_receive_packet() /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:864
    #23 0xb64a75 in QUICNetVConnection::state_connection_established(int, Event*) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:572
    #24 0x5dec7e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
    #25 0xb64243 in QUICNetVConnection::state_handshake(int, Event*) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:538
    #26 0x5dec7e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
    #27 0xb6619b in QUICNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:696
    #28 0xb22bfb in NetHandler::process_ready_list() /usr/local/src/trafficserver/iocore/net/UnixNet.cc:391
    #29 0xb2407b in NetHandler::waitForActivity(long) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:523
    #30 0xc4d9b4 in EThread::execute_regular() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:271
    #31 0xc4e1cb in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:324
    #32 0xc4a9a0 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
    #33 0x7ff32142d36c in start_thread (/lib64/libpthread.so.0+0x736c)
    #34 0x7ff3206a7e1e in __GI___clone (/lib64/libc.so.6+0x110e1e)

0x625000061fff is located 1 bytes to the left of 4096-byte region [0x625000062000,0x625000063000)
allocated by thread T8 ([ET_NET 6]) here:
    #0 0x7ff3230894a0 in posix_memalign (/lib64/libasan.so.4+0xdf4a0)
    #1 0x7ff322d2660c in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:103
    #2 0x7ff322d286fd in malloc_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:261
    #3 0x7ff322d27af1 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:184
    #4 0x5ddb67 in Allocator::alloc_void() ../../lib/ts/Allocator.h:63
    #5 0x5df057 in IOBufferData::alloc(long, AllocType) /usr/local/src/trafficserver/iocore/eventsystem/P_IOBuffer.h:293
    #6 0x5dee74 in new_IOBufferData_internal(char const*, long, AllocType) /usr/local/src/trafficserver/iocore/eventsystem/P_IOBuffer.h:264
    #7 0x5df2a8 in IOBufferBlock::alloc(long) /usr/local/src/trafficserver/iocore/eventsystem/P_IOBuffer.h:409
    #8 0x618f3a in MIOBuffer::append_block(long) /usr/local/src/trafficserver/iocore/eventsystem/P_IOBuffer.h:960
    #9 0x618f94 in MIOBuffer::add_block() /usr/local/src/trafficserver/iocore/eventsystem/P_IOBuffer.h:968
    #10 0xc46364 in MIOBuffer::write(void const*, long) /usr/local/src/trafficserver/iocore/eventsystem/IOBuffer.cc:103
    #11 0xac50c2 in HQClientTransaction::_process_read_vio() /usr/local/src/trafficserver/proxy/hq/HQClientTransaction.cc:379
    #12 0xac3408 in HQClientTransaction::do_io_read(Continuation*, long, MIOBuffer*) /usr/local/src/trafficserver/proxy/hq/HQClientTransaction.cc:185
    #13 0x73883d in HttpSM::attach_client_session(ProxyClientTransaction*, IOBufferReader*) /usr/local/src/trafficserver/proxy/http/HttpSM.cc:510
    #14 0x66d340 in ProxyClientTransaction::new_transaction() /usr/local/src/trafficserver/proxy/ProxyClientTransaction.cc:60
    #15 0xac0c93 in QUICSimpleApp::main_event_handler(int, Event*) /usr/local/src/trafficserver/proxy/hq/QUICSimpleApp.cc:79
    #16 0x5dec7e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
    #17 0xbdf69c in QUICStream::_signal_read_event() /usr/local/src/trafficserver/iocore/net/quic/QUICStream.cc:397
    #18 0xbdec90 in QUICStream::recv(std::shared_ptr<QUICStreamFrame const>) /usr/local/src/trafficserver/iocore/net/quic/QUICStream.cc:335
    #19 0xbd589f in QUICStreamManager::_handle_frame(std::shared_ptr<QUICStreamFrame const> const&) /usr/local/src/trafficserver/iocore/net/quic/QUICStreamManager.cc:178
    #20 0xbd4d8d in QUICStreamManager::handle_frame(std::shared_ptr<QUICFrame const>) /usr/local/src/trafficserver/iocore/net/quic/QUICStreamManager.cc:126
    #21 0xbbdc61 in QUICFrameDispatcher::receive_frames(unsigned char const*, unsigned short, bool&) /usr/local/src/trafficserver/iocore/net/quic/QUICFrameDispatcher.cc:68
    #22 0xb6aca8 in QUICNetVConnection::_recv_and_ack(unsigned char const*, unsigned short, unsigned long) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:1037
    #23 0xb67224 in QUICNetVConnection::_state_connection_established_process_packet(std::unique_ptr<QUICPacket, void (*)(QUICPacket*)>) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:821
    #24 0xb67a1a in QUICNetVConnection::_state_common_receive_packet() /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:864
    #25 0xb64a75 in QUICNetVConnection::state_connection_established(int, Event*) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:572
    #26 0x5dec7e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
    #27 0xb64243 in QUICNetVConnection::state_handshake(int, Event*) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:538
    #28 0x5dec7e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
    #29 0xb6619b in QUICNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/QUICNetVConnection.cc:696

Thread T8 ([ET_NET 6]) created by T0 ([TS_MAIN]) here:
    #0 0x7ff322fe1a2f in pthread_create (/lib64/libasan.so.4+0x37a2f)
    #1 0xc4a23a in ink_thread_create ../../lib/ts/ink_thread.h:156
    #2 0xc4aac9 in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:102
    #3 0xc53f25 in EventProcessor::spawn_event_threads(int, int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:383
    #4 0xc5473d in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:446
    #5 0x62ef0b in main /usr/local/src/trafficserver/proxy/Main.cc:1825
    #6 0x7ff3205b7889 in __libc_start_main (/lib64/libc.so.6+0x20889)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:2446 in mime_scanner_get(MIMEScanner*, char const**, char const*, char const**, char const**, bool*, bool, int)
Shadow bytes around the buggy address:
  0x0c4a800043a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800043b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800043c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800043d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a800043e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a800043f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4a80004400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80004410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80004420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80004430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80004440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1931==ABORTING
maskit commented 6 years ago

I guess it is triggered by HTTP/0.9 to 1.1 conversion in QUIC test application but it looks like the cause is inside HTTP header parser in core. The same input from clients may be able to cause the same thing.

bryancall commented 5 years ago

If this is still an issue please reopen.