You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2011/06/07 18:15:24 UTC
svn commit: r1133071 - /trafficserver/traffic/trunk/proxy/hdrs/MIME.cc
Author: zwoop
Date: Tue Jun 7 16:15:24 2011
New Revision: 1133071
URL: http://svn.apache.org/viewvc?rev=1133071&view=rev
Log:
TS-827 TSMimeHdrFieldValueStringInsert() can use freed memory to edit
headers.
This only affects plugins as far as we can tell, but is an important fix,
since it could potentially cause buffer overruns for plugin developers.
Author: William Bardwell
Review: leif
Modified:
trafficserver/traffic/trunk/proxy/hdrs/MIME.cc
Modified: trafficserver/traffic/trunk/proxy/hdrs/MIME.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/hdrs/MIME.cc?rev=1133071&r1=1133070&r2=1133071&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/hdrs/MIME.cc (original)
+++ trafficserver/traffic/trunk/proxy/hdrs/MIME.cc Tue Jun 7 16:15:24 2011
@@ -1938,6 +1938,19 @@ mime_field_value_str_from_strlist(HdrHea
return new_value;
}
+// Make sure that there is enough space for a header value string with out calling coalesce_str_heaps()
+// when we have pointers into the heap. TODO: This might need to attention for a future release, but
+// ok for now. /leif
+static void verify_heap_prealloc(HdrHeap *heap, size_t prealloc_len)
+{
+ // If there just isn't enough free space in the read-write heap.
+ if (heap->m_read_write_heap && heap->m_read_write_heap->m_free_size <= prealloc_len) {
+ // Allocate enough space, 'free' it, and then coalesce it so it will actually be free not just lost.
+ heap->free_string(heap->allocate_str(prealloc_len), prealloc_len);
+ heap->coalesce_str_heaps();
+ }
+}
+
/*-------------------------------------------------------------------------
-------------------------------------------------------------------------*/
@@ -1949,6 +1962,8 @@ mime_field_value_set_comma_val(HdrHeap *
Str *cell;
StrList list(false);
+ verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
+
// (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');
@@ -1979,6 +1994,8 @@ mime_field_value_delete_comma_val(HdrHea
Str *cell;
StrList list(false);
+ verify_heap_prealloc(heap, field->m_len_value);
+
// (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');
@@ -2025,6 +2042,7 @@ mime_field_value_insert_comma_val(HdrHea
Str *cell, *prev;
StrList list(false);
+ verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
// (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');
@@ -2065,6 +2083,8 @@ mime_field_value_extend_comma_val(HdrHea
size_t extended_len;
char *dest, *temp_ptr, temp_buf[128];
+ verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
+
// (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');