[trafficserver] branch quic-latest updated: Fix stack-buffer-overflow on storing data frame

Tue, 30 Apr 2019 22:32:58 -0700 

This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch quic-latest
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/quic-latest by this push:
     new 5a77a80  Fix stack-buffer-overflow on storing data frame
5a77a80 is described below

commit 5a77a807942e8ef5eb4f0b844bcc881e0367375d
Author: Masaori Koshiba <[email protected]>
AuthorDate: Wed May 1 14:31:44 2019 +0900

    Fix stack-buffer-overflow on storing data frame
---
 proxy/http3/Http3DataFramer.cc | 19 ++++++++++++++-----
 proxy/http3/Http3Frame.h       |  2 ++
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/proxy/http3/Http3DataFramer.cc b/proxy/http3/Http3DataFramer.cc
index 5f58e92..491210e 100644
--- a/proxy/http3/Http3DataFramer.cc
+++ b/proxy/http3/Http3DataFramer.cc
@@ -38,11 +38,20 @@ Http3DataFramer::generate_frame(uint16_t max_size)
 
   Http3FrameUPtr frame   = Http3FrameFactory::create_null_frame();
   IOBufferReader *reader = this->_source_vio->get_reader();
-  size_t len             = std::min(reader->read_avail(), 
static_cast<int64_t>(max_size));
-  if (len) {
-    frame = Http3FrameFactory::create_data_frame(reinterpret_cast<uint8_t 
*>(reader->start()), len);
-    reader->consume(len);
-    this->_source_vio->ndone += len;
+
+  if (max_size <= Http3Frame::MAX_FRAM_HEADER_OVERHEAD) {
+    return frame;
+  }
+
+  size_t payload_len = max_size - Http3Frame::MAX_FRAM_HEADER_OVERHEAD;
+  if (!reader->is_read_avail_more_than(payload_len)) {
+    payload_len = reader->read_avail();
+  }
+
+  if (payload_len) {
+    frame = Http3FrameFactory::create_data_frame(reinterpret_cast<uint8_t 
*>(reader->start()), payload_len);
+    reader->consume(payload_len);
+    this->_source_vio->ndone += payload_len;
   }
 
   return frame;
diff --git a/proxy/http3/Http3Frame.h b/proxy/http3/Http3Frame.h
index be0b48e..48ead5f 100644
--- a/proxy/http3/Http3Frame.h
+++ b/proxy/http3/Http3Frame.h
@@ -32,6 +32,8 @@
 class Http3Frame
 {
 public:
+  constexpr static size_t MAX_FRAM_HEADER_OVERHEAD = 128; ///< Type (i) + 
Length (i)
+
   Http3Frame() {}
   Http3Frame(const uint8_t *buf, size_t len);
   Http3Frame(Http3FrameType type);

Reply via email to