(qpid-proton) branch main updated: PROTON-2873: Correctly switch disposition type for existing deliveries

Thu, 06 Mar 2025 15:52:48 -0800 

This is an automated email from the ASF dual-hosted git repository.

astitcher pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git


The following commit(s) were added to refs/heads/main by this push:
     new cfa3fb5c9 PROTON-2873: Correctly switch disposition type for existing 
deliveries
cfa3fb5c9 is described below

commit cfa3fb5c9daa8a652e71b14a8ed71e31eaa9d645
Author: Andrew Stitcher <[email protected]>
AuthorDate: Thu Mar 6 17:29:11 2025 -0500

    PROTON-2873: Correctly switch disposition type for existing deliveries
    
    This bug was found by the OSS Fuzz project.
---
 c/src/core/engine-internal.h                              |   3 +++
 c/src/core/engine.c                                       |   2 +-
 c/src/core/transport.c                                    |   3 +++
 .../fuzz/fuzz-connection-driver/crash/5209948879650816    | Bin 0 -> 420 bytes
 .../fuzz/fuzz-connection-driver/crash/5876966427525120    | Bin 0 -> 199 bytes
 .../fuzz/fuzz-connection-driver/crash/6709525558394880    | Bin 0 -> 311 bytes
 6 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/c/src/core/engine-internal.h b/c/src/core/engine-internal.h
index f10e6a8f0..36950de16 100644
--- a/c/src/core/engine-internal.h
+++ b/c/src/core/engine-internal.h
@@ -420,6 +420,9 @@ void pn_transport_sasl_init(pn_transport_t *transport);
 
 void pn_condition_init(pn_condition_t *condition);
 void pn_condition_tini(pn_condition_t *condition);
+
+void pn_disposition_clear(pn_disposition_t *ds);
+
 void pn_modified(pn_connection_t *connection, pn_endpoint_t *endpoint, bool 
emit);
 void pn_real_settle(pn_delivery_t *delivery);  // will free delivery if link 
is freed
 void pn_clear_tpwork(pn_delivery_t *delivery);
diff --git a/c/src/core/engine.c b/c/src/core/engine.c
index d7fb091d4..21b3fa453 100644
--- a/c/src/core/engine.c
+++ b/c/src/core/engine.c
@@ -1680,7 +1680,7 @@ static void pn_disposition_init(pn_disposition_t *ds)
   memset(ds, 0, sizeof(*ds));
 }
 
-static void pn_disposition_clear(pn_disposition_t *ds)
+void pn_disposition_clear(pn_disposition_t *ds)
 {
   pn_disposition_finalize(ds);
   pn_disposition_init(ds);
diff --git a/c/src/core/transport.c b/c/src/core/transport.c
index 98d015e63..24a2a4d6f 100644
--- a/c/src/core/transport.c
+++ b/c/src/core/transport.c
@@ -1547,6 +1547,9 @@ static inline bool sequence_lte(pn_sequence_t a, 
pn_sequence_t b) {
 }
 
 static void pni_amqp_decode_disposition (uint64_t type, pn_bytes_t disp_data, 
pn_disposition_t *disp) {
+  if (disp->type != PN_DISP_EMPTY) {
+    pn_disposition_clear(disp);
+  }
   switch (type) {
     case AMQP_DESC_RECEIVED: {
       bool qnumber;
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/5209948879650816 
b/c/tests/fuzz/fuzz-connection-driver/crash/5209948879650816
new file mode 100644
index 000000000..b6e18e3d7
Binary files /dev/null and 
b/c/tests/fuzz/fuzz-connection-driver/crash/5209948879650816 differ
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/5876966427525120 
b/c/tests/fuzz/fuzz-connection-driver/crash/5876966427525120
new file mode 100644
index 000000000..50b7b1326
Binary files /dev/null and 
b/c/tests/fuzz/fuzz-connection-driver/crash/5876966427525120 differ
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/6709525558394880 
b/c/tests/fuzz/fuzz-connection-driver/crash/6709525558394880
new file mode 100644
index 000000000..dfeb2931c
Binary files /dev/null and 
b/c/tests/fuzz/fuzz-connection-driver/crash/6709525558394880 differ


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to