This is an automated email from the ASF dual-hosted git repository.
traeak pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new dd38491fd5 Fix bounds check in CacheVC::scanObject (#13263)
dd38491fd5 is described below
commit dd38491fd5ae9aeaa1dee414bcc7359efcc2247a
Author: Brian Olsen <[email protected]>
AuthorDate: Tue Jun 16 06:25:34 2026 -0600
Fix bounds check in CacheVC::scanObject (#13263)
---
src/iocore/cache/CacheVC.cc | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/iocore/cache/CacheVC.cc b/src/iocore/cache/CacheVC.cc
index 821dce534a..83bc9ea8d6 100644
--- a/src/iocore/cache/CacheVC.cc
+++ b/src/iocore/cache/CacheVC.cc
@@ -766,9 +766,17 @@ CacheVC::scanObject(int /* event ATS_UNUSED */, Event * /*
e ATS_UNUSED */)
}
break;
}
- if (doc->data() - buf->data() > static_cast<int>(io.aiocb.aio_nbytes)) {
- might_need_overlap_read = true;
- goto Lskip;
+ {
+ size_t const doc_off = reinterpret_cast<char *>(doc) - buf->data();
+ // Bounds-check in unsigned domain: doc must lie within the
+ // buffer, with room for the Doc header, and doc->hlen must
+ // fit in the remaining bytes before doc->hdr() and
+ // HTTPInfo::unmarshal walk it.
+ if (io.aiocb.aio_nbytes < doc_off || (io.aiocb.aio_nbytes - doc_off) <
sizeof(Doc) ||
+ (io.aiocb.aio_nbytes - doc_off - sizeof(Doc)) < doc->hlen) {
+ might_need_overlap_read = true;
+ goto Lskip;
+ }
}
{
char *tmp = doc->hdr();
