You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2018/05/17 13:23:42 UTC
[trafficserver] branch quic-latest updated: Fix a buffer overflow
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/quic-latest by this push:
new bec0f22 Fix a buffer overflow
bec0f22 is described below
commit bec0f225b593fe6c499307b626460e3758091229
Author: Masakazu Kitajo <ma...@apache.org>
AuthorDate: Thu May 17 22:22:59 2018 +0900
Fix a buffer overflow
---
iocore/net/quic/QUICPacketReceiveQueue.cc | 34 ++++++++++++++++++++-----------
iocore/net/quic/QUICPacketReceiveQueue.h | 4 ++--
2 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/iocore/net/quic/QUICPacketReceiveQueue.cc b/iocore/net/quic/QUICPacketReceiveQueue.cc
index f4cfbe2..04f8602 100644
--- a/iocore/net/quic/QUICPacketReceiveQueue.cc
+++ b/iocore/net/quic/QUICPacketReceiveQueue.cc
@@ -27,9 +27,11 @@
// FIXME: workaround for coalescing packets
static constexpr int LONG_HDR_OFFSET_CONNECTION_ID = 6;
-static constexpr int LONG_HDR_PKT_NUM_LEN = 4;
+static constexpr int LONG_HDR_PKT_NUM_LEN = 4;
-static size_t long_hdr_pkt_len(uint8_t *buf) {
+static size_t
+long_hdr_pkt_len(uint8_t *buf)
+{
uint8_t dcil = (buf[5] >> 4);
if (dcil) {
dcil += 3;
@@ -62,7 +64,7 @@ QUICPacketUPtr
QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result)
{
QUICPacketUPtr quic_packet = QUICPacketFactory::create_null_packet();
- UDPPacket *udp_packet = nullptr;
+ UDPPacket *udp_packet = nullptr;
// FIXME: avoid this copy
// Copy payload of UDP packet to this->_payload once
@@ -74,9 +76,9 @@ QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result)
}
// Create a QUIC packet
- this->_from = udp_packet->from;
+ this->_from = udp_packet->from;
this->_payload_len = udp_packet->getPktLength();
- this->_payload = ats_unique_malloc(this->_payload_len);
+ this->_payload = ats_unique_malloc(this->_payload_len);
IOBufferBlock *b = udp_packet->getIOBlockChain();
size_t written = 0;
while (b) {
@@ -87,7 +89,7 @@ QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result)
}
ats_unique_buf pkt = {nullptr, [](void *p) { ats_free(p); }};
- size_t pkt_len = 0;
+ size_t pkt_len = 0;
if (QUICTypeUtil::has_long_header(this->_payload.get())) {
if (QUICTypeUtil::has_long_header(this->_payload.get() + this->_offset)) {
@@ -103,18 +105,26 @@ QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result)
if (this->_offset >= this->_payload_len) {
this->_payload.release();
+ this->_payload = nullptr;
+ this->_payload_len = 0;
+ this->_offset = 0;
}
} else {
- pkt = std::move(this->_payload);
- pkt_len = this->_payload_len;
+ pkt = std::move(this->_payload);
+ pkt_len = this->_payload_len;
+ this->_payload = nullptr;
+ this->_payload_len = 0;
+ this->_offset = 0;
}
} else {
- pkt = std::move(this->_payload);
- pkt_len = this->_payload_len;
+ pkt = std::move(this->_payload);
+ pkt_len = this->_payload_len;
+ this->_payload = nullptr;
+ this->_payload_len = 0;
+ this->_offset = 0;
}
- quic_packet =
- this->_packet_factory.create(this->_from, std::move(pkt), pkt_len, this->largest_received_packet_number(), result);
+ quic_packet = this->_packet_factory.create(this->_from, std::move(pkt), pkt_len, this->largest_received_packet_number(), result);
if (udp_packet) {
udp_packet->free();
diff --git a/iocore/net/quic/QUICPacketReceiveQueue.h b/iocore/net/quic/QUICPacketReceiveQueue.h
index 1930bb7..911c0cf 100644
--- a/iocore/net/quic/QUICPacketReceiveQueue.h
+++ b/iocore/net/quic/QUICPacketReceiveQueue.h
@@ -45,7 +45,7 @@ private:
QUICPacketNumber _largest_received_packet_number = 0;
// FIXME: workaround code for coalescing packets
ats_unique_buf _payload = {nullptr, [](void *p) { ats_free(p); }};
- size_t _payload_len = 0;
- size_t _offset = 0;
+ size_t _payload_len = 0;
+ size_t _offset = 0;
IpEndpoint _from;
};
--
To stop receiving notification emails like this one, please contact
maskit@apache.org.