Updated Branches: refs/heads/master 17f782e7b -> 6b0fe6708
TS-2270 ESI Plugin can have infinite loop on gunzip Reviewed: leif Note: I'm not an expert on gzip, but these changes seems inline with how we deal with this in the gzip plugin. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/6b0fe670 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/6b0fe670 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/6b0fe670 Branch: refs/heads/master Commit: 6b0fe6708de8c73f8486ebe3c6c519d9aeceef68 Parents: 17f782e Author: Kit Chan <chanshukit at gmail dot com> Authored: Thu Oct 10 11:15:28 2013 -0600 Committer: Leif Hedstrom <[email protected]> Committed: Thu Oct 10 11:15:28 2013 -0600 ---------------------------------------------------------------------- CHANGES | 3 +++ plugins/experimental/esi/lib/gzip.cc | 11 ++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6b0fe670/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index fa566c0..d054929 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 4.1.0 + *) [TS-2270] ESI Plugin can have infinite loop while doing gunzip on + responses. Author: Kit Chan. + *) [TS-2268] Add support for opening protocol traffic sockets through the traffic_manager. Added TSPluginDescriptorAccept into expiremental API. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6b0fe670/plugins/experimental/esi/lib/gzip.cc ---------------------------------------------------------------------- diff --git a/plugins/experimental/esi/lib/gzip.cc b/plugins/experimental/esi/lib/gzip.cc index f938151..5be1be4 100644 --- a/plugins/experimental/esi/lib/gzip.cc +++ b/plugins/experimental/esi/lib/gzip.cc @@ -163,14 +163,19 @@ EsiLib::gunzip(const char *data, int data_len, BufferList &buf_list) { do { zstrm.next_out = reinterpret_cast<Bytef *>(raw_buf); zstrm.avail_out = BUF_SIZE; - inflate_result = inflate(&zstrm, Z_FINISH); + inflate_result = inflate(&zstrm, Z_SYNC_FLUSH); curr_buf_size = -1; if ((inflate_result == Z_OK) || (inflate_result == Z_BUF_ERROR)) { curr_buf_size = BUF_SIZE; } else if (inflate_result == Z_STREAM_END) { curr_buf_size = BUF_SIZE - zstrm.avail_out; } - if (curr_buf_size == -1) { + if (curr_buf_size > BUF_SIZE) { + Utils::ERROR_LOG("[%s] buf too large", __FUNCTION__); + break; + } + if (curr_buf_size < 1) { + Utils::ERROR_LOG("[%s] buf below zero", __FUNCTION__); break; } unzipped_data_size += curr_buf_size; @@ -185,7 +190,7 @@ EsiLib::gunzip(const char *data, int data_len, BufferList &buf_list) { if (inflate_result == Z_STREAM_END) { break; } - } while (true); + } while (zstrm.avail_in > 0); inflateEnd(&zstrm); if (inflate_result != Z_STREAM_END) { Utils::ERROR_LOG("[%s] Failure while inflating; error code %d", __FUNCTION__, inflate_result);
