This is an automated email from the ASF dual-hosted git repository.
astitcher pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git
The following commit(s) were added to refs/heads/main by this push:
new cfa3fb5c9 PROTON-2873: Correctly switch disposition type for existing
deliveries
cfa3fb5c9 is described below
commit cfa3fb5c9daa8a652e71b14a8ed71e31eaa9d645
Author: Andrew Stitcher <astitc...@apache.org>
AuthorDate: Thu Mar 6 17:29:11 2025 -0500
PROTON-2873: Correctly switch disposition type for existing deliveries
This bug was found by the OSS Fuzz project.
---
c/src/core/engine-internal.h | 3 +++
c/src/core/engine.c | 2 +-
c/src/core/transport.c | 3 +++
.../fuzz/fuzz-connection-driver/crash/5209948879650816 | Bin 0 -> 420 bytes
.../fuzz/fuzz-connection-driver/crash/5876966427525120 | Bin 0 -> 199 bytes
.../fuzz/fuzz-connection-driver/crash/6709525558394880 | Bin 0 -> 311 bytes
6 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/c/src/core/engine-internal.h b/c/src/core/engine-internal.h
index f10e6a8f0..36950de16 100644
--- a/c/src/core/engine-internal.h
+++ b/c/src/core/engine-internal.h
@@ -420,6 +420,9 @@ void pn_transport_sasl_init(pn_transport_t *transport);
void pn_condition_init(pn_condition_t *condition);
void pn_condition_tini(pn_condition_t *condition);
+
+void pn_disposition_clear(pn_disposition_t *ds);
+
void pn_modified(pn_connection_t *connection, pn_endpoint_t *endpoint, bool
emit);
void pn_real_settle(pn_delivery_t *delivery); // will free delivery if link
is freed
void pn_clear_tpwork(pn_delivery_t *delivery);
diff --git a/c/src/core/engine.c b/c/src/core/engine.c
index d7fb091d4..21b3fa453 100644
--- a/c/src/core/engine.c
+++ b/c/src/core/engine.c
@@ -1680,7 +1680,7 @@ static void pn_disposition_init(pn_disposition_t *ds)
memset(ds, 0, sizeof(*ds));
}
-static void pn_disposition_clear(pn_disposition_t *ds)
+void pn_disposition_clear(pn_disposition_t *ds)
{
pn_disposition_finalize(ds);
pn_disposition_init(ds);
diff --git a/c/src/core/transport.c b/c/src/core/transport.c
index 98d015e63..24a2a4d6f 100644
--- a/c/src/core/transport.c
+++ b/c/src/core/transport.c
@@ -1547,6 +1547,9 @@ static inline bool sequence_lte(pn_sequence_t a,
pn_sequence_t b) {
}
static void pni_amqp_decode_disposition (uint64_t type, pn_bytes_t disp_data,
pn_disposition_t *disp) {
+ if (disp->type != PN_DISP_EMPTY) {
+ pn_disposition_clear(disp);
+ }
switch (type) {
case AMQP_DESC_RECEIVED: {
bool qnumber;
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/5209948879650816
b/c/tests/fuzz/fuzz-connection-driver/crash/5209948879650816
new file mode 100644
index 000000000..b6e18e3d7
Binary files /dev/null and
b/c/tests/fuzz/fuzz-connection-driver/crash/5209948879650816 differ
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/5876966427525120
b/c/tests/fuzz/fuzz-connection-driver/crash/5876966427525120
new file mode 100644
index 000000000..50b7b1326
Binary files /dev/null and
b/c/tests/fuzz/fuzz-connection-driver/crash/5876966427525120 differ
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/6709525558394880
b/c/tests/fuzz/fuzz-connection-driver/crash/6709525558394880
new file mode 100644
index 000000000..dfeb2931c
Binary files /dev/null and
b/c/tests/fuzz/fuzz-connection-driver/crash/6709525558394880 differ
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org
