This is an automated email from the ASF dual-hosted git repository.
JosiahWI pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 3189423892 Clamp HTTP3 frame type buf size to reader bytes (#13242)
3189423892 is described below
commit 318942389264f51e728624c7f02237eab3a09cec
Author: JosiahWI <[email protected]>
AuthorDate: Mon Jun 8 05:49:42 2026 -0500
Clamp HTTP3 frame type buf size to reader bytes (#13242)
* Clamp HTTP3 frame type buf size to reader bytes
The length of the source buffer for HTTP3 type parsing was always taken
to be the maximum length of the type field. This seemed to work without
UB when I tested it through `Http3FrameDispatcher`, but Kit Chan pointed
out that it is risky (#11720).
This patch refactors the type parsing to guarantee that the number of
bytes passed to the parser will not be greater than the number of
initialized bytes in the buffer.
* Fix incorrect identifier name
Co-authored-by: Copilot Autofix powered by AI
<[email protected]>
* Fix incorrect identifier
* Fix incorrect identifier name
Co-authored-by: Copilot Autofix powered by AI
<[email protected]>
---------
Co-authored-by: Copilot Autofix powered by AI
<[email protected]>
---
src/proxy/http3/Http3Frame.cc | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/proxy/http3/Http3Frame.cc b/src/proxy/http3/Http3Frame.cc
index 0060dad16d..64b0a0a465 100644
--- a/src/proxy/http3/Http3Frame.cc
+++ b/src/proxy/http3/Http3Frame.cc
@@ -27,6 +27,8 @@
#include "proxy/http3/Http3Frame.h"
#include "proxy/http3/Http3Config.h"
+#include <algorithm>
+
ClassAllocator<Http3Frame, false>
http3FrameAllocator("http3FrameAllocator");
ClassAllocator<Http3DataFrame, false>
http3DataFrameAllocator("http3DataFrameAllocator");
ClassAllocator<Http3HeadersFrame, false>
http3HeadersFrameAllocator("http3HeadersFrameAllocator");
@@ -505,9 +507,10 @@ Http3FrameFactory::create(IOBufferReader &reader)
ts::Http3Config::scoped_config params;
Http3Frame *frame = nullptr;
- uint8_t type_buf[FRAME_TYPE_MAX_BYTES]{};
- reader.memcpy(type_buf, sizeof(type_buf));
- Http3FrameType type = Http3Frame::type(type_buf, sizeof(type_buf));
+ uint8_t type_buf[FRAME_TYPE_MAX_BYTES]{};
+ std::size_t const type_avail{std::min<std::size_t>(reader.read_avail(),
sizeof(type_buf))};
+ reader.memcpy(type_buf, type_avail);
+ Http3FrameType type = Http3Frame::type(type_buf, type_avail);
switch (type) {
case Http3FrameType::HEADERS:
@@ -534,9 +537,10 @@ Http3FrameFactory::create(IOBufferReader &reader)
std::shared_ptr<Http3Frame>
Http3FrameFactory::fast_create(IOBufferReader &reader)
{
- uint8_t type_buf[FRAME_TYPE_MAX_BYTES]{};
- reader.memcpy(type_buf, sizeof(type_buf));
- Http3FrameType type = Http3Frame::type(type_buf, sizeof(type_buf));
+ uint8_t type_buf[FRAME_TYPE_MAX_BYTES]{};
+ std::size_t const type_avail{std::min<std::size_t>(reader.read_avail(),
sizeof(type_buf))};
+ reader.memcpy(type_buf, type_avail);
+ Http3FrameType type = Http3Frame::type(type_buf, type_avail);
if (type == Http3FrameType::UNKNOWN) {
if (!this->_unknown_frame) {
this->_unknown_frame = Http3FrameFactory::create(reader);
