You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2011/06/07 18:15:24 UTC

svn commit: r1133071 - /trafficserver/traffic/trunk/proxy/hdrs/MIME.cc

Author: zwoop
Date: Tue Jun  7 16:15:24 2011
New Revision: 1133071

URL: http://svn.apache.org/viewvc?rev=1133071&view=rev
Log:
TS-827 TSMimeHdrFieldValueStringInsert() can use freed memory to edit
headers.

This only affects plugins as far as we can tell, but is an important fix,
since it could potentially cause buffer overruns for plugin developers.

Author: William Bardwell
Review: leif

Modified:
    trafficserver/traffic/trunk/proxy/hdrs/MIME.cc

Modified: trafficserver/traffic/trunk/proxy/hdrs/MIME.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/hdrs/MIME.cc?rev=1133071&r1=1133070&r2=1133071&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/hdrs/MIME.cc (original)
+++ trafficserver/traffic/trunk/proxy/hdrs/MIME.cc Tue Jun  7 16:15:24 2011
@@ -1938,6 +1938,19 @@ mime_field_value_str_from_strlist(HdrHea
   return new_value;
 }
 
+// Make sure that there is enough space for a header value string with out calling coalesce_str_heaps()
+// when we have pointers into the heap. TODO: This might need to attention for a future release, but
+// ok for now. /leif
+static void verify_heap_prealloc(HdrHeap *heap, size_t prealloc_len)
+{
+    // If there just isn't enough free space in the read-write heap.
+    if (heap->m_read_write_heap && heap->m_read_write_heap->m_free_size <= prealloc_len) {
+        // Allocate enough space, 'free' it, and then coalesce it so it will actually be free not just lost.
+        heap->free_string(heap->allocate_str(prealloc_len), prealloc_len);
+        heap->coalesce_str_heaps();
+    }
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 
@@ -1949,6 +1962,8 @@ mime_field_value_set_comma_val(HdrHeap *
   Str *cell;
   StrList list(false);
 
+  verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
+
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');
 
@@ -1979,6 +1994,8 @@ mime_field_value_delete_comma_val(HdrHea
   Str *cell;
   StrList list(false);
 
+  verify_heap_prealloc(heap, field->m_len_value);
+
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');
 
@@ -2025,6 +2042,7 @@ mime_field_value_insert_comma_val(HdrHea
   Str *cell, *prev;
   StrList list(false);
 
+  verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');
 
@@ -2065,6 +2083,8 @@ mime_field_value_extend_comma_val(HdrHea
   size_t extended_len;
   char *dest, *temp_ptr, temp_buf[128];
 
+  verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
+
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value, ',');