traeak opened a new pull request, #13263:
URL: https://github.com/apache/trafficserver/pull/13263
Fix bounds check in CacheVC::scanObject
The prior check compared doc->data() - buf->data() against
io.aiocb.aio_nbytes cast to int. The pointer arithmetic could wrap when
doc->hlen (read from disk) was very large, and the int cast truncated size_t
buffer sizes, so the check could pass while doc->hdr() and the subsequent
HTTPInfo::unmarshal walked memory past the I/O buffer.
Re-express the check in the unsigned size_t domain and validate doc->hlen
directly against the bytes remaining after the Doc header, guarding each
subtraction so it cannot underflow.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
