This is an automated email from the ASF dual-hosted git repository. maskit pushed a commit to branch quic-latest in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/quic-latest by this push: new bec0f22 Fix a buffer overflow bec0f22 is described below commit bec0f225b593fe6c499307b626460e3758091229 Author: Masakazu Kitajo <mas...@apache.org> AuthorDate: Thu May 17 22:22:59 2018 +0900 Fix a buffer overflow --- iocore/net/quic/QUICPacketReceiveQueue.cc | 34 ++++++++++++++++++++----------- iocore/net/quic/QUICPacketReceiveQueue.h | 4 ++-- 2 files changed, 24 insertions(+), 14 deletions(-) diff --git a/iocore/net/quic/QUICPacketReceiveQueue.cc b/iocore/net/quic/QUICPacketReceiveQueue.cc index f4cfbe2..04f8602 100644 --- a/iocore/net/quic/QUICPacketReceiveQueue.cc +++ b/iocore/net/quic/QUICPacketReceiveQueue.cc @@ -27,9 +27,11 @@ // FIXME: workaround for coalescing packets static constexpr int LONG_HDR_OFFSET_CONNECTION_ID = 6; -static constexpr int LONG_HDR_PKT_NUM_LEN = 4; +static constexpr int LONG_HDR_PKT_NUM_LEN = 4; -static size_t long_hdr_pkt_len(uint8_t *buf) { +static size_t +long_hdr_pkt_len(uint8_t *buf) +{ uint8_t dcil = (buf[5] >> 4); if (dcil) { dcil += 3; @@ -62,7 +64,7 @@ QUICPacketUPtr QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result) { QUICPacketUPtr quic_packet = QUICPacketFactory::create_null_packet(); - UDPPacket *udp_packet = nullptr; + UDPPacket *udp_packet = nullptr; // FIXME: avoid this copy // Copy payload of UDP packet to this->_payload once @@ -74,9 +76,9 @@ QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result) } // Create a QUIC packet - this->_from = udp_packet->from; + this->_from = udp_packet->from; this->_payload_len = udp_packet->getPktLength(); - this->_payload = ats_unique_malloc(this->_payload_len); + this->_payload = ats_unique_malloc(this->_payload_len); IOBufferBlock *b = udp_packet->getIOBlockChain(); size_t written = 0; while (b) { @@ -87,7 +89,7 @@ QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result) } ats_unique_buf pkt = {nullptr, [](void *p) { ats_free(p); }}; - size_t pkt_len = 0; + size_t pkt_len = 0; if (QUICTypeUtil::has_long_header(this->_payload.get())) { if (QUICTypeUtil::has_long_header(this->_payload.get() + this->_offset)) { @@ -103,18 +105,26 @@ QUICPacketReceiveQueue::dequeue(QUICPacketCreationResult &result) if (this->_offset >= this->_payload_len) { this->_payload.release(); + this->_payload = nullptr; + this->_payload_len = 0; + this->_offset = 0; } } else { - pkt = std::move(this->_payload); - pkt_len = this->_payload_len; + pkt = std::move(this->_payload); + pkt_len = this->_payload_len; + this->_payload = nullptr; + this->_payload_len = 0; + this->_offset = 0; } } else { - pkt = std::move(this->_payload); - pkt_len = this->_payload_len; + pkt = std::move(this->_payload); + pkt_len = this->_payload_len; + this->_payload = nullptr; + this->_payload_len = 0; + this->_offset = 0; } - quic_packet = - this->_packet_factory.create(this->_from, std::move(pkt), pkt_len, this->largest_received_packet_number(), result); + quic_packet = this->_packet_factory.create(this->_from, std::move(pkt), pkt_len, this->largest_received_packet_number(), result); if (udp_packet) { udp_packet->free(); diff --git a/iocore/net/quic/QUICPacketReceiveQueue.h b/iocore/net/quic/QUICPacketReceiveQueue.h index 1930bb7..911c0cf 100644 --- a/iocore/net/quic/QUICPacketReceiveQueue.h +++ b/iocore/net/quic/QUICPacketReceiveQueue.h @@ -45,7 +45,7 @@ private: QUICPacketNumber _largest_received_packet_number = 0; // FIXME: workaround code for coalescing packets ats_unique_buf _payload = {nullptr, [](void *p) { ats_free(p); }}; - size_t _payload_len = 0; - size_t _offset = 0; + size_t _payload_len = 0; + size_t _offset = 0; IpEndpoint _from; }; -- To stop receiving notification emails like this one, please contact mas...@apache.org.