Giters

fastly / libvmod-urlcode

urlencode/urldecode functions vmod

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

panic in WS_Release due to canary being overwritten

nigoroll opened this issue · comments

commented

libvmod-urlcode/src/vmod_urlcode.c

Line 111 in ee2a24f

*b++ = (char) ((h << 4) | l);

here the canary at the end of the WS reservation gets overwritten for the l < 0 case

panic seen in production:

Last panic at: Fri, 20 Jul 2018 11:39:40 GMT
"Assert error in WS_Assert(), cache/cache_ws.c line 59:
  Condition(*ws->e == 0x15) not true.
thread = (cache-worker)
version = varnish-4.1.8 revision d266ac5c6
ident = Linux,4.4.0-53-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit,epoll
now = 20127569.628944 (mono), 1532086523.610831 (real)
Backtrace:
  0x434122: pan_ic+0x182
  0x44ba5b: WS_Assert+0x18b
  0x44c240: WS_Release+0x10
  0x7f55780f0dad: libvmod_urlcode.so(vmod_decode+0x24d) [0x7f55780f0dad]
  0x7f557c43adb8: vgc.so(VGC_function_vcl_recv+0x868) [0x7f557c43adb8]
  0x440357: vcl_call_method+0x1e7
  0x44269a: VCL_recv_method+0x5a
  0x437739: CNT_Request+0xa19
  0x45036a: HTTP1_Session+0x4aa
  0x43a68d: SES_Proto_Req+0x5d```