sahvx655-wq opened a new pull request, #3329: URL: https://github.com/apache/brpc/pull/3329
the sibling control-message handlers (OnSetChunkSize, OnAck, OnWindowAckSize, OnSetPeerBandwidth) all validate message_length before touching the body, but OnUserControlMessage only caps the upper bound at 32. reading the code, a user control message with length 0 or 1 reads the 2-byte event type past the end of the stack buffer, and message_length - 2 underflows (uint32_t) to roughly 4G for the event_data StringPiece. require at least 2 bytes up front like the siblings do. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
