TS-2618] IOBufferBlock::realloc()'s bounds check is wrong. Original suggestions from William Bardwell.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/3e35848d Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/3e35848d Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/3e35848d Branch: refs/heads/5.0.x Commit: 3e35848dc793aec663d03faa56080c7d03d6fd9b Parents: 92de605 Author: Leif Hedstrom <[email protected]> Authored: Wed May 28 09:34:46 2014 -0600 Committer: Leif Hedstrom <[email protected]> Committed: Wed May 28 09:35:35 2014 -0600 ---------------------------------------------------------------------- CHANGES | 2 ++ iocore/eventsystem/P_IOBuffer.h | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/3e35848d/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 7e85d7f..2dbba8a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.0.0 + *) [TS-2618] IOBufferBlock::realloc()'s bounds check is wrong. + *) [TS-2850] Fix logging of response header length. *) [TS-2839] tsxs does not work on OSX (Darwin). http://git-wip-us.apache.org/repos/asf/trafficserver/blob/3e35848d/iocore/eventsystem/P_IOBuffer.h ---------------------------------------------------------------------- diff --git a/iocore/eventsystem/P_IOBuffer.h b/iocore/eventsystem/P_IOBuffer.h index 20e1405..55b8add 100644 --- a/iocore/eventsystem/P_IOBuffer.h +++ b/iocore/eventsystem/P_IOBuffer.h @@ -530,10 +530,9 @@ IOBufferBlock::realloc_xmalloc(int64_t buf_size) TS_INLINE void IOBufferBlock::realloc(int64_t i) { - if (i == data->_size_index) - return; - if (i >= (int64_t) sizeof(ioBufAllocator)) + if ((i == data->_size_index) || (i >= (int64_t)countof(ioBufAllocator))) { return; + } ink_release_assert(i > data->_size_index && i != BUFFER_SIZE_NOT_ALLOCATED); void *b = ioBufAllocator[i].alloc_void();
