You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2020/10/08 19:23:56 UTC

[qpid-dispatch] branch dev-protocol-adaptors updated: avoid reading beyond end of body data buffer (#872)

This is an automated email from the ASF dual-hosted git repository.

kgiusti pushed a commit to branch dev-protocol-adaptors
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git


The following commit(s) were added to refs/heads/dev-protocol-adaptors by this push:
     new 653c0cb  avoid reading beyond end of body data buffer (#872)
653c0cb is described below

commit 653c0cbdd806c34f91e94fefd9ed77ff9146d929
Author: Ken Giusti <kg...@apache.org>
AuthorDate: Thu Oct 8 15:08:46 2020 -0400

    avoid reading beyond end of body data buffer (#872)
---
 src/message.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/message.c b/src/message.c
index 21c226b..2894086 100644
--- a/src/message.c
+++ b/src/message.c
@@ -2428,40 +2428,40 @@ int qd_message_body_data_buffer_count(const qd_message_body_data_t *body_data)
  */
 int qd_message_body_data_buffers(qd_message_body_data_t *body_data, pn_raw_buffer_t *buffers, int offset, int count)
 {
-    int          actual_count = 0;
     qd_buffer_t *buffer       = body_data->payload.buffer;
+    size_t       data_offset  = body_data->payload.offset;
+    size_t       payload_len  = body_data->payload.length;
 
     //
-    // Skip the offset
+    // Skip the buffer offset
     //
-    while (offset > 0 && !!buffer) {
-        buffer = DEQ_NEXT(buffer);
+    assert(offset < qd_message_body_data_buffer_count(body_data));
+    while (offset > 0 && payload_len > 0) {
+        payload_len -= qd_buffer_size(buffer) - data_offset;
         offset--;
+        data_offset = 0;
+        buffer = DEQ_NEXT(buffer);
     }
 
     //
     // Fill the buffer array
     //
     int idx = 0;
-    while (idx < count && !!buffer) {
+    while (idx < count && payload_len > 0) {
+        size_t buf_size = MIN(payload_len, qd_buffer_size(buffer) - data_offset);
         buffers[idx].context  = 0;  // reserved for use by caller - do not modify!
-        buffers[idx].bytes    = (char*) qd_buffer_base(buffer) + (buffer == body_data->payload.buffer ? body_data->payload.offset : 0);
+        buffers[idx].bytes    = (char*) qd_buffer_base(buffer) + data_offset;
         buffers[idx].capacity = BUFFER_SIZE;
-        buffers[idx].size     = qd_buffer_size(buffer) - (buffer == body_data->payload.buffer ? body_data->payload.offset : 0);
+        buffers[idx].size     = buf_size;
         buffers[idx].offset   = 0;
 
-        if (buffer == body_data->last_buffer) {
-            // Don't process beyond the end of this body_data section
-            actual_count++;
-            break;
-        }
-
+        data_offset = 0;
+        payload_len -= buf_size;
         buffer = DEQ_NEXT(buffer);
-        actual_count++;
         idx++;
     }
 
-    return actual_count;
+    return idx;
 }
 
 


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org