panic in WS_Release due to canary being overwritten
nigoroll opened this issue · comments
Nils Goroll commented
libvmod-urlcode/src/vmod_urlcode.c
Line 111 in ee2a24f
here the canary at the end of the WS reservation gets overwritten for the l < 0
case
panic seen in production:
Last panic at: Fri, 20 Jul 2018 11:39:40 GMT
"Assert error in WS_Assert(), cache/cache_ws.c line 59:
Condition(*ws->e == 0x15) not true.
thread = (cache-worker)
version = varnish-4.1.8 revision d266ac5c6
ident = Linux,4.4.0-53-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit,epoll
now = 20127569.628944 (mono), 1532086523.610831 (real)
Backtrace:
0x434122: pan_ic+0x182
0x44ba5b: WS_Assert+0x18b
0x44c240: WS_Release+0x10
0x7f55780f0dad: libvmod_urlcode.so(vmod_decode+0x24d) [0x7f55780f0dad]
0x7f557c43adb8: vgc.so(VGC_function_vcl_recv+0x868) [0x7f557c43adb8]
0x440357: vcl_call_method+0x1e7
0x44269a: VCL_recv_method+0x5a
0x437739: CNT_Request+0xa19
0x45036a: HTTP1_Session+0x4aa
0x43a68d: SES_Proto_Req+0x5d```