You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2020/06/23 20:17:16 UTC

[trafficserver] branch 9.0.x updated: Ensure read_avail is set for the first non-empty block (#6916)

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new d1ee5ed  Ensure read_avail is set for the first non-empty block (#6916)
d1ee5ed is described below

commit d1ee5ed6b717d1833860c26ebeb1b99a2dd3f7d4
Author: Sudheer Vinukonda <su...@apache.org>
AuthorDate: Thu Jun 18 14:42:49 2020 -0700

    Ensure read_avail is set for the first non-empty block (#6916)
    
    Also add defense to prevent Heap buffer overflow (from ASAN report in prod)
    
    (cherry picked from commit f214fcfc6861706d0881abe4983a9ab8630f07f7)
---
 src/traffic_server/FetchSM.cc | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/traffic_server/FetchSM.cc b/src/traffic_server/FetchSM.cc
index f682311..0cb2919 100644
--- a/src/traffic_server/FetchSM.cc
+++ b/src/traffic_server/FetchSM.cc
@@ -367,6 +367,10 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader)
     return;
   }
 
+  /* Read the data out of the reader */
+  if (reader->block != NULL)
+    reader->skip_empty_blocks();
+
   read_avail = reader->read_avail();
   Debug(DEBUG_TAG, "[%s] total avail %" PRId64, __FUNCTION__, read_avail);
   if (!read_avail) {
@@ -377,10 +381,6 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader)
   info            = (char *)ats_malloc(sizeof(char) * (read_avail + 1));
   client_response = info;
 
-  /* Read the data out of the reader */
-  if (reader->block != NULL)
-    reader->skip_empty_blocks();
-
   blk = reader->block.get();
 
   // This is the equivalent of TSIOBufferBlockReadStart()
@@ -391,7 +391,7 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader)
     int bytes_used = 0;
     header_done    = 1;
     if (client_response_hdr.parse_resp(&http_parser, reader, &bytes_used, 0) == PARSE_RESULT_DONE) {
-      if (bytes_used > 0) {
+      if ((bytes_used > 0) && (bytes_used <= read_avail)) {
         memcpy(info, buf, bytes_used);
         info += bytes_used;
         client_bytes += bytes_used;
@@ -418,7 +418,7 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader)
       buf       = blk->start() + reader->start_offset;
       read_done = blk->read_avail() - reader->start_offset;
 
-      if (read_done > 0) {
+      if ((read_done > 0) && ((read_done <= read_avail))) {
         memcpy(info, buf, read_done);
         reader->consume(read_done);
         read_avail -= read_done;
@@ -453,7 +453,7 @@ FetchSM::get_info_from_buffer(IOBufferReader *reader)
       buf       = blk->start() + reader->start_offset;
       read_done = blk->read_avail() - reader->start_offset;
 
-      if (read_done > 0) {
+      if ((read_done > 0) && (read_done <= read_avail)) {
         memcpy(info, buf, read_done);
         reader->consume(read_done);
         read_avail -= read_done;