Skip to content

Fix ASAN-detected plugin bugs across five components#13013

Open
bryancall wants to merge 6 commits intoapache:masterfrom
bryancall:fix/asan-plugin-bugs
Open

Fix ASAN-detected plugin bugs across five components#13013
bryancall wants to merge 6 commits intoapache:masterfrom
bryancall:fix/asan-plugin-bugs

Conversation

@bryancall
Copy link
Contributor

@bryancall bryancall commented Mar 23, 2026

Summary

  • Fix five ASAN-detected defects in plugin/test-plugin code paths: heap buffer read, delete type mismatch, use-after-free, and leak on early return.
  • Update stats_over_http, ja4_fingerprint, txn_box, slice, and async_engine with targeted correctness fixes.
  • Keep changes scoped and independent so plugin safety fixes can merge early.

Test plan

  • Reproduce and validate fixes in ASAN test runs from the flaky/ASAN audit effort.
  • Confirm each fix is limited to the failing code path in the affected plugin.
  • Run Apache CI suite for full platform/compiler coverage.

@bryancall
Fix heap-buffer-overflow in stats_over_http
008b2aa 
Use sized format specifier %.*s with string_view to
avoid reading past the end of the buffer.
@bryancall
Fix delete type mismatch in ja4_fingerprint
d529c48 
Cast to JA4_data* instead of std::string* before delete
to match the actual allocated type and invoke the correct
destructor.
@bryancall
Fix use-after-free in txn_box Config destructor
3d7101f 
Move _arena declaration before _roots so the arena outlives
the directives that reference its memory. C++ destroys
members in reverse declaration order, so _arena must be
declared first.
@bryancall
Fix memory leak in slice plugin
22bff30 
Free urlstr before early return on invalid content length.
The string was allocated by TSHttpTxnEffectiveUrlStringGet
but leaked on the error path.
@bryancall
Fix use-after-free in async_engine test plugin
f362f32 
Save writefd value before freeing its backing memory with
OPENSSL_free, then use the saved value for close() and the
debug message.
@bryancall bryancall requested a review from Copilot March 23, 2026 17:43
@bryancall bryancall added the Bug label Mar 23, 2026
@bryancall bryancall self-assigned this Mar 23, 2026
@bryancall bryancall added Plugins ASan Address Sanitizer labels Mar 23, 2026
@bryancall bryancall added this to the 11.0.0 milestone Mar 23, 2026
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses multiple ASAN-reported memory-safety defects across several ATS plugins and test-plugin code paths, focusing on targeted fixes to prevent invalid reads, type-mismatched deletes, leaks, and lifetime issues.

Changes:

  • Fix a use-after-free in the OpenSSL async engine test plugin cleanup path by not dereferencing freed memory.
  • Fix an over-read / non-NUL-terminated string logging issue in stats_over_http debug output by using length-bounded formatting.
  • Fix a leak on early-return in the slice plugin by freeing the transaction URL string before returning.
  • Adjust txn_box member destruction order to ensure directive-owned memory arenas outlive directive trees.
  • Update ja4_fingerprint VConn close cleanup to delete the correct stored type.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
tests/tools/plugins/async_engine.c Avoids dereferencing freed memory during async wait context cleanup.
plugins/stats_over_http/stats_over_http.cc Makes debug logging safe for non-null-terminated path suffix views.
plugins/slice/server.cc Frees TSHttpTxnEffectiveUrlStringGet result on early return to avoid leaks.
plugins/experimental/txn_box/plugin/include/txn_box/Config.h Ensures arena outlives directive roots by reordering members for correct destruction.
plugins/experimental/ja4_fingerprint/plugin.cc Changes cleanup delete to match the actual object type stored in the vconn user arg.

@bryancall bryancall requested a review from moonchen March 23, 2026 22:37
@bryancall
Fix JA4 type mismatch in handle_read_request_hdr
593693a 
TSUserArgSet stores a JA4_data* but handle_read_request_hdr retrieved
it as std::string*. This worked by accident since fingerprint is the
first member, but is technically undefined behavior. Cast to
JA4_data* consistently and access the fingerprint member explicitly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@moonchen moonchen Awaiting requested review from moonchen

At least 1 approving review is required to merge this pull request.

Assignees

@bryancall bryancall

Labels

ASan Address Sanitizer Bug Plugins

Projects

None yet

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@bryancall