(trafficserver) 03/09: Fix crash when ESI plugin exceeds max_doc_size limit (#12600)

Mon, 10 Nov 2025 11:25:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

cmcfarlen pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 61b030b273ba15eae379b92774fc7e4111f72877
Author: Brian Neradt <[email protected]>
AuthorDate: Wed Oct 22 20:17:14 2025 -0500

    Fix crash when ESI plugin exceeds max_doc_size limit (#12600)
    
    When ESI documents exceeded the configured max_doc_size, ATS would crash
    with an assertion failure in TSVIONBytesSet() due to passing an 
uninitialized
    value. The crash occurred because the overall_len variable in 
transformData()
    was declared but not initialized, and EsiProcessor::flush() would return 
FAILURE
    without setting output parameters when in an ERRORED state. This fix 
initializes
    overall_len to 0, ensures flush() sets valid output parameters before 
returning
    FAILURE. The connection now closes gracefully when the limit is exceeded.
    
    (cherry picked from commit 71450ee8957605ad5f528d700d10290bb03c7c54)
---
 plugins/esi/esi.cc              | 4 ++--
 plugins/esi/lib/EsiProcessor.cc | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/plugins/esi/esi.cc b/plugins/esi/esi.cc
index 229f68dac0..3b2e0f1060 100644
--- a/plugins/esi/esi.cc
+++ b/plugins/esi/esi.cc
@@ -822,8 +822,8 @@ transformData(TSCont contp)
     CONT_DATA_DBG(cont_data, "[%s] trying to process doc", __FUNCTION__);
     string                   out_data;
     string                   cdata;
-    int                      overall_len;
-    EsiProcessor::ReturnCode retval = cont_data->esi_proc->flush(out_data, 
overall_len);
+    int                      overall_len = 0;
+    EsiProcessor::ReturnCode retval      = 
cont_data->esi_proc->flush(out_data, overall_len);
 
     if ((cont_data->curr_state == ContData::FETCHING_DATA) && 
cont_data->data_fetcher->isFetchComplete()) {
       CONT_DATA_DBG(cont_data, "[%s] data ready; last process() will have 
finished the entire processing", __FUNCTION__);
diff --git a/plugins/esi/lib/EsiProcessor.cc b/plugins/esi/lib/EsiProcessor.cc
index 0c11d49dca..e659c0bef6 100644
--- a/plugins/esi/lib/EsiProcessor.cc
+++ b/plugins/esi/lib/EsiProcessor.cc
@@ -351,6 +351,8 @@ EsiProcessor::ReturnCode
 EsiProcessor::flush(string &data, int &overall_len)
 {
   if (_curr_state == ERRORED) {
+    overall_len = 0;
+    data.assign("");
     return FAILURE;
   }
   if (_curr_state == PROCESSED) {

Reply via email to