Juniper Openstack

Access to freed memory in HTTP client

Bug #1461910 reported by Hari Prasad Killi on 2015-06-04

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R2.0	Fix Committed	High	Hari Prasad Killi	Juniper Openstack r2.02
R2.20	Fix Committed	High	Hari Prasad Killi	Juniper Openstack r2.20-fcs
Trunk	Fix Committed	High	Hari Prasad Killi	Juniper Openstack r3.0-fcs

Bug Description

==26894== Thread 3:
==26894== Invalid read of size 8
==26894== at 0x17B8E06: send_perform(_ConnInfo*, _GlobalInfo*) (http_curl.cc:336)
==26894== by 0x17B95EF: http_post(_ConnInfo*, _GlobalInfo*) (http_curl.cc:469)
==26894== by 0x17AF635: HttpConnection::HttpProcessInternal(std::string, std::string, bool, bool, bool, std::vector<std::string, std::allocator<std::string> >, boost::function<void (std::string&, boost::system::error_code&)>, http_method) (http_client.cc:232)
==26894== by 0x17B732A: boost::_mfi::mf8<void, HttpConnection, std::string, std::string, bool, bool, bool, std::vector<std::string, std::allocator<std::string> >, boost::function<void (std::string&, boost::system::error_code&)>, http_method>::operator()(HttpConnection*, std::string, std::string, bool, bool, bool, std::vector<std::string, std::allocator<std::string> >, boost::function<void (std::string&, boost::system::error_code&)>, http_method) const (mem_fn_template.hpp:958)
==26894== by 0x17B63C0: void boost::_bi::list9<boost::_bi::value<HttpConnection*>, boost::_bi::value<std::string>, boost::_bi::value<std::string>, boost::_bi::value<bool>, boost::_bi::value<bool>, boost::_bi::value<bool>, boost::_bi::value<std::vector<std::string, std::allocator<std::string> > >, boost::_bi::value<boost::function<void (std::string&, boost::system::error_code&)> >, boost::_bi::value<http_method> >::operator()<boost::_mfi::mf8<void, HttpConnection, std::string, std::string, bool, bool, bool, std::vector<std::string, std::allocator<std::string> >, boost::function<void (std::string&, boost::system::error_code&)>, http_method>, boost::_bi::list0>(boost::_bi::type<void>, boost::_mfi::mf8<void, HttpConnection, std::string, std::string, bool, bool, bool, std::vector<std::string, std::allocator<std::string> >, boost::function<void (std::string&, boost::system::error_code&)>, http_method>&, boost::_bi::list0&, int) (bind.hpp:827)
==26894== by 0x17B5078: boost::_bi::bind_t<void, boost::_mfi::mf8<void, HttpConnection, std::string, std::string, bool, bool, bool, std::vector<std::string, std::allocator<std::string> >, boost::function<void (std::string&, boost::system::error_code&)>, http_method>, boost::_bi::list9<boost::_bi::value<HttpConnection*>, boost::_bi::value<std::string>, boost::_bi::value<std::string>, boost::_bi::value<bool>, boost::_bi::value<bool>, boost::_bi::value<bool>, boost::_bi::value<std::vector<std::string, std::allocator<std::string> > >, boost::_bi::value<boost::function<void (std::string&, boost::system::error_code&)> >, boost::_bi::value<http_method> > >::operator()() (bind_template.hpp:20)
==26894== by 0x17B435D: boost::detail::function::void_function_obj_invoker0<boost::_bi::bind_t<void, boost::_mfi::mf8<void, HttpConnection, std::string, std::string, bool, bool, bool, std::vector<std::string, std::allocator<std::string> >, boost::function<void (std::string&, boost::system::error_code&)>, http_method>, boost::_bi::list9<boost::_bi::value<HttpConnection*>, boost::_bi::value<std::string>, boost::_bi::value<std::string>, boost::_bi::value<bool>, boost::_bi::value<bool>, boost::_bi::value<bool>, boost::_bi::value<std::vector<std::string, std::allocator<std::string> > >, boost::_bi::value<boost::function<void (std::string&, boost::system::error_code&)> >, boost::_bi::value<http_method> > >, void>::invoke(boost::detail::function::function_buffer&) (function_template.hpp:153)
==26894== by 0x1183637: boost::function0<void>::operator()() const (function_template.hpp:767)
==26894== by 0x17B0663: HttpClient::DequeueEvent(boost::function<void ()>) (http_client.cc:394)
==26894== by 0x17B75EB: boost::_mfi::mf1<bool, HttpClient, boost::function<void ()> >::operator()(HttpClient*, boost::function<void ()>) const (mem_fn_template.hpp:165)
==26894== by 0x17B6602: bool boost::_bi::list2<boost::_bi::value<HttpClient*>, boost::arg<1> >::operator()<bool, boost::_mfi::mf1<bool, HttpClient, boost::function<void ()> >, boost::_bi::list1<boost::function<void ()>&> >(boost::_bi::type<bool>, boost::_mfi::mf1<bool, HttpClient, boost::function<void ()> >&, boost::_bi::list1<boost::function<void ()>&>&, long) (bind.hpp:303)
==26894== by 0x17B5259: bool boost::_bi::bind_t<bool, boost::_mfi::mf1<bool, HttpClient, boost::function<void ()> >, boost::_bi::list2<boost::_bi::value<HttpClient*>, boost::arg<1> > >::operator()<boost::function<void ()> >(boost::function<void ()>&) (bind_template.hpp:32)
==26894== Address 0xe1a5b78 is 312 bytes inside a block of size 320 free'd
==26894== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26894== by 0x17B9025: del_curl_handle(_ConnInfo*, _GlobalInfo*) (http_curl.cc:370)
==26894== by 0x17B8253: check_multi_info(_GlobalInfo*) (http_curl.cc:102)
==26894== by 0x17B8606: timer_cb(_GlobalInfo*) (http_curl.cc:157)
==26894== by 0x17B7FEC: multi_timer_cb(void*, long, HttpClient*) (http_curl.cc:47)
==26894== by 0x4E67817: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.3.0)
==26894== by 0x4E6A4D7: curl_multi_socket_action (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.3.0)
==26894== by 0x17B85B8: timer_cb(_GlobalInfo*) (http_curl.cc:149)
==26894== by 0x17B7FEC: multi_timer_cb(void*, long, HttpClient*) (http_curl.cc:47)
==26894== by 0x4E67817: ??? (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.3.0)
==26894== by 0x4E68CEC: curl_multi_add_handle (in /usr/lib/x86_64-linux-gnu/libcurl.so.4.3.0)
==26894== by 0x17B8DBB: send_perform(_ConnInfo*, _GlobalInfo*) (http_curl.cc:327)
==26894==

Tags:

Hari Prasad Killi (haripk) on 2015-06-04

Changed in juniperopenstack:
milestone:	none → r2.30-fcs

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-04: [Review update] R2.20

Review in progress for https://review.opencontrail.org/11277
Submitter: Hari Prasad Killi (<email address hidden>)

OpenContrail Admin (ci-admin-f) on 2015-06-04

tags:

added: blocker

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-04: A change has been merged

Reviewed: https://review.opencontrail.org/11277
Committed: http://github.org/Juniper/contrail-controller/commit/25d37477939bd3ea5adf2847e2ceb0f471f22bd9
Submitter: Zuul
Branch: R2.20

commit 25d37477939bd3ea5adf2847e2ceb0f471f22bd9
Author: Hari <email address hidden>
Date: Thu Jun 4 18:06:36 2015 +0530

Fix valgrind reported issue in HTTP client

check_multi_info is invoked from "http client" and asio contexts.
Calling delete of connection info from here causes problems due to this.
Moving this such that if a new connection is created and if old
connection info is available, it is deleted. The last one is deleted when
HttpConnection is removed. Rechecked valgrind with this fix.

Change-Id: I0d2592b6ddb098d8f86e8036b0c1aa5c979627ac
closes-bug: 1461910

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-05: [Review update] master

Review in progress for https://review.opencontrail.org/11313
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-05: [Review update] R2.0

Review in progress for https://review.opencontrail.org/11314
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-08: [Review update] R2.20

Review in progress for https://review.opencontrail.org/11355
Submitter: Hari Prasad Killi (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-08: A change has been merged

#10

Reviewed: https://review.opencontrail.org/11313
Committed: http://github.org/Juniper/contrail-controller/commit/479ca0485fbd69b55d02322e4cd29636464616fd
Submitter: Zuul
Branch: master

commit 479ca0485fbd69b55d02322e4cd29636464616fd
Author: Hari <email address hidden>
Date: Thu Jun 4 18:06:36 2015 +0530

Fix valgrind reported issue in HTTP client

Change-Id: I0d2592b6ddb098d8f86e8036b0c1aa5c979627ac
closes-bug: 1461910
(cherry picked from commit 25d37477939bd3ea5adf2847e2ceb0f471f22bd9)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-08:

#11

Reviewed: https://review.opencontrail.org/11355
Committed: http://github.org/Juniper/contrail-controller/commit/cdd9fda456bc066b00bd2c7e793f210f334398b2
Submitter: Zuul
Branch: R2.20

commit cdd9fda456bc066b00bd2c7e793f210f334398b2
Author: Hari <email address hidden>
Date: Sun Jun 7 23:02:05 2015 +0530

Add NULL check for http connection session.

Change-Id: Id49ad8bb4def76d9f5316cf9cad4d8444631be96
closes-bug: 1461910

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2015-06-23:

#12

Reviewed: https://review.opencontrail.org/11314
Committed: http://github.org/Juniper/contrail-controller/commit/f029079b6e7c715df38fc74922367d437c4e4889
Submitter: Zuul
Branch: R2.0

commit f029079b6e7c715df38fc74922367d437c4e4889
Author: Hari <email address hidden>
Date: Thu Jun 4 18:06:36 2015 +0530

Fix valgrind reported issue in HTTP client

Change-Id: I0d2592b6ddb098d8f86e8036b0c1aa5c979627ac
closes-bug: 1461910
(cherry picked from commit 25d37477939bd3ea5adf2847e2ceb0f471f22bd9)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.