This is an automated email from the ASF dual-hosted git repository. gancho pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new 986d355 Assert non-zero HdrHeap object size (#6954) 986d355 is described below commit 986d355daf0fc97131e9d6ed22988563e59547c7 Author: Gancho Tenev <10522628+gte...@users.noreply.github.com> AuthorDate: Tue Jul 7 11:03:03 2020 -0700 Assert non-zero HdrHeap object size (#6954) HdrHeap object length cannot be 0 by design otherwise there is something wrong, i.e. possible memory corruption, in such cases iterating over HdrHeap objects would lead to infinite loop, i.e. during unmarshaling. --- proxy/hdrs/HdrHeap.cc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/proxy/hdrs/HdrHeap.cc b/proxy/hdrs/HdrHeap.cc index 1452a8e..dfa387a 100644 --- a/proxy/hdrs/HdrHeap.cc +++ b/proxy/hdrs/HdrHeap.cc @@ -400,6 +400,9 @@ HdrHeap::evacuate_from_str_heaps(HdrStrHeap *new_heap) while (data < h->m_free_start) { HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(data); + // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! + ink_release_assert(0 != obj->m_length); + switch (obj->m_type) { case HDR_HEAP_OBJ_URL: ((URLImpl *)obj)->move_strings(new_heap); @@ -440,6 +443,9 @@ HdrHeap::required_space_for_evacuation() while (data < h->m_free_start) { HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(data); + // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! + ink_release_assert(0 != obj->m_length); + switch (obj->m_type) { case HDR_HEAP_OBJ_URL: ret += ((URLImpl *)obj)->strings_length(); @@ -514,6 +520,9 @@ HdrHeap::sanity_check_strs() while (data < h->m_free_start) { HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(data); + // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! + ink_release_assert(0 != obj->m_length); + switch (obj->m_type) { case HDR_HEAP_OBJ_URL: ((URLImpl *)obj)->check_strings(heaps, num_heaps); @@ -937,6 +946,9 @@ HdrHeap::unmarshal(int buf_length, int obj_type, HdrHeapObjImpl **found_obj, Ref HdrHeapObjImpl *obj = reinterpret_cast<HdrHeapObjImpl *>(obj_data); ink_assert(obj_is_aligned(obj)); + // Object length cannot be 0 by design, otherwise something is wrong + infinite loop here! + ink_release_assert(0 != obj->m_length); + if (obj->m_type == static_cast<unsigned>(obj_type) && *found_obj == nullptr) { *found_obj = obj; }