Bug #7157
closedmemcpy to unknow address due to CALLOC and Realloc without setting sc_errno
Description
The StreamingBufferAppend and StreamingBufferAppendNoTrack logic utilizes sc_errno to validate the success of malloc and realloc operations. However, the malloc and realloc functions implemented at the application layer appear to not properly set the sc_errno value upon failure. This leads to a scenario where malloc failures result in a null pointer being returned, but the streamingbuffer component does not account for this error condition. Consequently, the subsequent memcpy operation triggers a crash.
In our 10 Gb/s production environment, we are experiencing frequent occurrences of these crashes, and we aim to address and resolve this issue.
int StreamingBufferAppend(StreamingBuffer *sb, const StreamingBufferConfig *cfg,
StreamingBufferSegment *seg, const uint8_t *data, uint32_t data_len)
{
DEBUG_VALIDATE_BUG_ON(seg NULL);
if (sb->region.buf NULL) {
if (InitBuffer(sb, cfg) == -1)
return -1;
}
int r = DataFits(sb, data_len);
if (r < 0) {
DEBUG_VALIDATE_BUG_ON(1);
return 1;
} else if (r 0) {
if (sb>region.buf_size 0) {
if (GrowToSize(sb, cfg, data_len) != SC_OK) <----- applayer realloc did not set sc_errno value, so might be SC_OK
return 1;
} else {
if (GrowToSize(sb, cfg, sb>region.buf_offset + data_len) != SC_OK) <----- applayer realloc did not set sc_errno value, so might be SC_OK
return -1;
}
}
DEBUG_VALIDATE_BUG_ON(DataFits(sb, data_len) != 1);
memcpy(sb->region.buf + sb->region.buf_offset, data, data_len);
}
Here is the stacktrace when crashed in production env
Files
Updated by Victor Julien 6 months ago
Looks like a duplicate of #6782, fixed in master and 7.0.6. What version are you running?
Updated by Victor Julien 6 months ago
- Priority changed from High to Normal
- Label deleted (
Needs backport to 7.0)
Updated by chris tang 5 months ago
- Status changed from New to Rejected
- Priority changed from Normal to High
- Label Needs backport to 7.0 added
Updated by Victor Julien 5 months ago
- Assignee deleted (
OISF Dev) - Priority changed from High to Normal
- Target version deleted (
TBD)
Updated by Victor Julien 5 months ago
- Is duplicate of Bug #6782: streaming/buffer: crash in HTTP body handling added