trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From zw...@apache.org
Subject svn commit: r1133071 - /trafficserver/traffic/trunk/proxy/hdrs/MIME.cc
Date Tue, 07 Jun 2011 16:15:24 GMT
Author: zwoop
Date: Tue Jun  7 16:15:24 2011
New Revision: 1133071

URL: http://svn.apache.org/viewvc?rev=1133071&view=rev
Log:
TS-827 TSMimeHdrFieldValueStringInsert() can use freed memory to edit
headers.

This only affects plugins as far as we can tell, but is an important fix,
since it could potentially cause buffer overruns for plugin developers.

Author: William Bardwell
Review: leif

Modified:
    trafficserver/traffic/trunk/proxy/hdrs/MIME.cc

Modified: trafficserver/traffic/trunk/proxy/hdrs/MIME.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/hdrs/MIME.cc?rev=1133071&r1=1133070&r2=1133071&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/hdrs/MIME.cc (original)
+++ trafficserver/traffic/trunk/proxy/hdrs/MIME.cc Tue Jun  7 16:15:24 2011
@@ -1938,6 +1938,19 @@ mime_field_value_str_from_strlist(HdrHea
   return new_value;
 }
 
+// Make sure that there is enough space for a header value string with out calling coalesce_str_heaps()
+// when we have pointers into the heap. TODO: This might need to attention for a future release,
but
+// ok for now. /leif
+static void verify_heap_prealloc(HdrHeap *heap, size_t prealloc_len)
+{
+    // If there just isn't enough free space in the read-write heap.
+    if (heap->m_read_write_heap && heap->m_read_write_heap->m_free_size
<= prealloc_len) {
+        // Allocate enough space, 'free' it, and then coalesce it so it will actually be
free not just lost.
+        heap->free_string(heap->allocate_str(prealloc_len), prealloc_len);
+        heap->coalesce_str_heaps();
+    }
+}
+
 /*-------------------------------------------------------------------------
   -------------------------------------------------------------------------*/
 
@@ -1949,6 +1962,8 @@ mime_field_value_set_comma_val(HdrHeap *
   Str *cell;
   StrList list(false);
 
+  verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
+
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value,
',');
 
@@ -1979,6 +1994,8 @@ mime_field_value_delete_comma_val(HdrHea
   Str *cell;
   StrList list(false);
 
+  verify_heap_prealloc(heap, field->m_len_value);
+
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value,
',');
 
@@ -2025,6 +2042,7 @@ mime_field_value_insert_comma_val(HdrHea
   Str *cell, *prev;
   StrList list(false);
 
+  verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value,
',');
 
@@ -2065,6 +2083,8 @@ mime_field_value_extend_comma_val(HdrHea
   size_t extended_len;
   char *dest, *temp_ptr, temp_buf[128];
 
+  verify_heap_prealloc(heap, field->m_len_value + 2 + new_piece_len);
+
   // (1) rip the value into tokens, keeping surrounding quotes, but not whitespace
   HttpCompat::parse_tok_list(&list, 0, field->m_ptr_value, field->m_len_value,
',');
 



Mime
View raw message