You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2015/09/25 20:30:53 UTC
trafficserver git commit: TS-3945: ASAN error in HTTP/2 when trying
to decode 0 length buffer
Repository: trafficserver
Updated Branches:
refs/heads/master 591df370c -> f9a6930fc
TS-3945: ASAN error in HTTP/2 when trying to decode 0 length buffer
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f9a6930f
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f9a6930f
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f9a6930f
Branch: refs/heads/master
Commit: f9a6930fca6ea458615fa7fef6b7e67c472701ed
Parents: 591df37
Author: Bryan Call <bc...@apache.org>
Authored: Fri Sep 25 11:30:25 2015 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Fri Sep 25 11:30:25 2015 -0700
----------------------------------------------------------------------
proxy/http2/HPACK.cc | 8 ++++++++
1 file changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f9a6930f/proxy/http2/HPACK.cc
----------------------------------------------------------------------
diff --git a/proxy/http2/HPACK.cc b/proxy/http2/HPACK.cc
index 4c6a702..cdf5640 100644
--- a/proxy/http2/HPACK.cc
+++ b/proxy/http2/HPACK.cc
@@ -501,6 +501,10 @@ encode_literal_header_field(uint8_t *buf_start, const uint8_t *buf_end, const MI
int64_t
decode_integer(uint32_t &dst, const uint8_t *buf_start, const uint8_t *buf_end, uint8_t n)
{
+ if (buf_start >= buf_end) {
+ return HPACK_ERROR_COMPRESSION_ERROR;
+ }
+
const uint8_t *p = buf_start;
dst = (*p & ((1 << n) - 1));
@@ -529,6 +533,10 @@ decode_integer(uint32_t &dst, const uint8_t *buf_start, const uint8_t *buf_end,
int64_t
decode_string(Arena &arena, char **str, uint32_t &str_length, const uint8_t *buf_start, const uint8_t *buf_end)
{
+ if (buf_start >= buf_end) {
+ return HPACK_ERROR_COMPRESSION_ERROR;
+ }
+
const uint8_t *p = buf_start;
bool isHuffman = *p & 0x80;
uint32_t encoded_string_len = 0;