id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 2431,HTTP3: Clang reports heap-use-after-free in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:231,bullerdu@…,,"==4234==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00004a4a0 at pc 0x0000004e9d7f bp 0x7ffedf26fdd0 sp 0x7ffedf26f580 READ of size 6 at 0x61e00004a4a0 thread T0 #0 0x4e9d7e in __interceptor_memcpy.part.41 (nginx +0x4e9d7e) #1 0x82b1af in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:231 #2 0x82cd6f in ngx_http_v3_duplicate src/http/v3/ngx_http_v3_table.c:421 #3 0x829a78 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1519 #4 0x829a78 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001 #5 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225 #6 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755 #7 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35 #8 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422 #9 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841 #10 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200 #11 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645 #12 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195 #13 0x5864fc in main src/core/nginx.c:448 #14 0x7fe4638fd444 in __libc_start_main (/lib64/libc.so.6+0x22444) #15 0x4ac228 (nginx +0x4ac228) freed by thread T0 here: #0 0x54e7e0 in free (nginx+0x54e7e0) #1 0x82aded in ngx_http_v3_evict src/http/v3/ngx_http_v3_table.c:381 #2 0x82afec in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:210 #3 0x82cd6f in ngx_http_v3_duplicate src/http/v3/ngx_http_v3_table.c:421 #4 0x829a78 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1519 #5 0x829a78 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001 #6 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225 #7 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755 #8 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35 #9 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422 #10 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841 #11 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200 #12 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645 #13 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195 #14 0x5864fc in main src/core/nginx.c:448 #15 0x7fe4638fd444 in __libc_start_main (/lib64/libc.so.6+0x22444) previously allocated by thread T0 here: #0 0x54eaf8 in malloc (nginx+0x54eaf8) #1 0x5fc3a3 in ngx_alloc src/os/unix/ngx_alloc.c:22 #2 0x82b12d in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:221 #3 0x82c91a in ngx_http_v3_ref_insert src/http/v3/ngx_http_v3_table.c:195 #4 0x829f52 in ngx_http_v3_parse_field_inr src/http/v3/ngx_http_v3_parse.c:1624 #5 0x829f52 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1479 #6 0x829f52 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001 #7 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225 #8 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755 #9 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35 #10 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422 #11 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841 #12 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200 #13 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645 #14 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195 #15 0x5864fc in main src/core/nginx.c:448 #16 0x7fe4638fd444 in __libc_start_main (/lib64/libc.so.6+0x22444) SUMMARY: AddressSanitizer: heap-use-after-free (nginx+0x4e9d7e) in __interceptor_memcpy.part.41 Shadow bytes around the buggy address: 0x0c3c80001440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c80001450: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c3c80001460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c80001470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3c80001480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3c80001490: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd 0x0c3c800014a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c800014b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c800014c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c800014d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3c800014e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4234==ABORTING",defect,closed,minor,,documentation,1.23.x,fixed,http3,,Linux 4.19.91-008.ali4000.alios7.x86_64 #1 SMP Fri Sep 4 17:33:26 CST 2020 x86_64 x86_64 x86_64 GNU/Linux,"nginx version: nginx/1.23.3 built by gcc 9.3.0 (GCC) built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --with-debug --with-http_v3_module --prefix=/home/yefei.dyf/nginx --with-cc-opt=-I/home/yefei.dyf/boringssl/include --with-ld-opt='-L/home/yefei.dyf/boringssl/ssl -L/home/yefei.dyf/boringssl/crypto' --with-google_perftools_module"