LogAccessHttp init strlen to 0, not -1 (master)

[a-canary]

Code was using -1 string length to signify that had not been validated yet. This caused marshal_mem to allocate 0 bytes, below the INK_MIN_ALIGN, and write to unallocated mem.
Now code initializes all string length vars to 0, and upon failure to validate, the string ptr is set to INVALID_STR to prevent multiple validataions attempts.

Fixes YTSATS-1240

[jpeach]

Please fix the git user.name:

From: Unknown <acanary@yahoo-inc.com>

[zwoop]

This has to go on the 7.1.x branch too ?

[bryancall]

[approve ci]

[a-canary]

Yahoo doesn't need it ported to 7.1, given that is only a rare logging error that only we are seeing. I am looking into back porting to 5.3, because that is where the issue was discovered by our analysis team.

unknown user.name... I'm a git newb.

[jpeach]

On Jun 8, 2017, at 1:47 PM, a-canary ***@***.***> wrote: Yahoo doesn't need it ported to 7.1, given that is only a rare logging error that only we are seeing. I am looking into back porting to 5.3, because that is where the issue was discovered by our analysis team. unknown user.name... I'm a git newb.

Take a look at https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup

[a-canary]

User name fixed

[leighklotz]

Given that this is a write to unallocated memory, is it a potential security issue that should be fixed in latest version as well?

[a-canary]

It is not a security issue because it is contained to the log buffer memory, and output.

Specifically this case it is writing past the end of it's allocated log buffer by 1 byte. It would write "-", a second thread would allocate and write that same address, then the first thread would flush the log buffer to a file, and the "-" is replaced with a random character.

[bryancall]

Wouldn't adding a check on len > 0 here and not add it to bytes also work? This way you wouldn't have to set m_cache_lookup_url_canon_str or have INVALID_STR.

[a-canary]

The core of the problem was LogAccessHttp.cc:ln487,
len = round_strlen(m_client_req_unmapped_url_host_len + 1); // +1 for eos
When m_client_req_unmapped_url_host_len is -1, len is set to 0.
And strlen of -1 is kind of gross way to indicate that can't resolve the host name. In the future we would like to change all these to StringView, so this nudges us in that direction.

This assert is just to ensure no other code paths where having the same issue.

[bryancall]

I am not seeing that in the code on master round_strlen(m_client_req_unmapped_url_host_len + 1);. What line are you referring to?

[bryancall]

It looks like you are referring to the ATS 5.3.x branch in your comment above. This looks like it has been resolved on master and 7.1.x. Please confirm.

[SolidWallOfCode]

Looks like commit 9399a76 patched this particular place (for TS-3841).

[SolidWallOfCode]

I'm not sure what you're suggesting, Bryan, is different from the ink_release_assert on line 776 here. len shouldn't just be greater than zero, it should be at least INK_MIN_ALIGN.

[bryancall]

I am stating this is not an issue for master and 7.1.x, if you want to add an assert that is OK, but is it not required. I would keep what is in LogField.cc and get rid of the rest of the changes.

[SolidWallOfCode]

This is not the only logging anomaly we are seeing so I suspect it is in fact an issue elsewhere. I would rather do a basic fix rather than patching after the fact.

[SolidWallOfCode]

My view is that INVALID_STR should be removed or left const char* and m_arena->str_alloc should be used if there is no valid URL to reference. That should be sufficiently cheap to be viable as in almost all cases there will be a URL.

[bryancall]

I am stating this is not an issue for master and 7.1.x, if you want to add an assert that is OK, but is it not required. I would keep what is in LogField.cc and get rid of the rest of the changes.

[bryancall]

The main issues I have with this PR:

1. I don't like that the invalid string has a length of 1, but the string length is being set to 0. I would rather stay with the length of -1 to mean invalid and the code is set to honor this. Maybe moving to "" and a length of 0 would work, but then all the code should change that is looking for invalid as being -1.
2. const variables should be used in favor of #define.

[a-canary]

The invalid string is not expected to be printed. It is merely a non-null address so that validation does not run multiple times. In the case that lookup url or canon host fails to resolve, the _len remains 0, thus the default "-" is printed in marshal_mem.
We are trying to move away from the strlen of -1 initialization, because there are many functions where that has undefined behaviour, or it casted to unsigned type, which is scary.

[a-canary]

I just pushed another commit to address the concerns above. Please review. Susan is testing this on one of the ats 7 production (test) boxes. So far so good.
If that goes well, I'll do another pull request for the 5.3 integration on Monday.

[a-canary]

It has survived a night in the wild. Are there any remaining concerns?

[a-canary]

Fixed format and squashed. It is ready to go now.

Aaron fixed his email problem and the commit data is good now.