trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zw...@apache.org
Subject git commit: TS-2270 ESI Plugin can have infinite loop on gunzip
Date Thu, 10 Oct 2013 17:16:30 GMT
Updated Branches:
  refs/heads/master 17f782e7b -> 6b0fe6708


TS-2270 ESI Plugin can have infinite loop on gunzip

Reviewed: leif

Note: I'm not an expert on gzip, but these changes seems
inline with how we deal with this in the gzip plugin.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/6b0fe670
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/6b0fe670
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/6b0fe670

Branch: refs/heads/master
Commit: 6b0fe6708de8c73f8486ebe3c6c519d9aeceef68
Parents: 17f782e
Author: Kit Chan <chanshukit at gmail dot com>
Authored: Thu Oct 10 11:15:28 2013 -0600
Committer: Leif Hedstrom <zwoop@apache.org>
Committed: Thu Oct 10 11:15:28 2013 -0600

----------------------------------------------------------------------
 CHANGES                              |  3 +++
 plugins/experimental/esi/lib/gzip.cc | 11 ++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6b0fe670/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index fa566c0..d054929 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 4.1.0
 
+  *) [TS-2270] ESI Plugin can have infinite loop while doing gunzip on
+   responses. Author: Kit Chan.
+
   *) [TS-2268] Add support for opening protocol traffic sockets through the 
    traffic_manager. Added TSPluginDescriptorAccept into expiremental API.
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6b0fe670/plugins/experimental/esi/lib/gzip.cc
----------------------------------------------------------------------
diff --git a/plugins/experimental/esi/lib/gzip.cc b/plugins/experimental/esi/lib/gzip.cc
index f938151..5be1be4 100644
--- a/plugins/experimental/esi/lib/gzip.cc
+++ b/plugins/experimental/esi/lib/gzip.cc
@@ -163,14 +163,19 @@ EsiLib::gunzip(const char *data, int data_len, BufferList &buf_list)
{
   do {
     zstrm.next_out = reinterpret_cast<Bytef *>(raw_buf);
     zstrm.avail_out = BUF_SIZE;
-    inflate_result = inflate(&zstrm, Z_FINISH);
+    inflate_result = inflate(&zstrm, Z_SYNC_FLUSH);
     curr_buf_size = -1;
     if ((inflate_result == Z_OK) || (inflate_result == Z_BUF_ERROR)) {
       curr_buf_size = BUF_SIZE;
     } else if (inflate_result == Z_STREAM_END) {
       curr_buf_size = BUF_SIZE - zstrm.avail_out;
     }
-    if (curr_buf_size == -1) {
+    if (curr_buf_size > BUF_SIZE) {
+      Utils::ERROR_LOG("[%s] buf too large", __FUNCTION__);
+      break;
+    }
+    if (curr_buf_size < 1) {
+      Utils::ERROR_LOG("[%s] buf below zero", __FUNCTION__);
       break;
     }
     unzipped_data_size += curr_buf_size;
@@ -185,7 +190,7 @@ EsiLib::gunzip(const char *data, int data_len, BufferList &buf_list)
{
     if (inflate_result == Z_STREAM_END) {
       break;
     }
-  } while (true);
+  } while (zstrm.avail_in > 0);
   inflateEnd(&zstrm);
   if (inflate_result != Z_STREAM_END) {
     Utils::ERROR_LOG("[%s] Failure while inflating; error code %d", __FUNCTION__, inflate_result);


Mime
View raw message