`try_reserve` can panic despite "try" prefix suggesting error handling

[AriajSarkar]

The try_reserve method in HeaderMap can panic even though its name and signature suggest it should return an error instead. This violates Rust conventions where try_* methods should handle errors gracefully.

Location:

• File: src/header/map.rs
• Method: try_reserve (line 744)
• Helper function: to_raw_capacity (line 3624)

Problem:

The to_raw_capacity helper function panics on overflow:

#[inline]
fn to_raw_capacity(n: usize) -> usize {
    match n.checked_add(n / 3) {
        Some(n) => n,
        None => panic!(
            "requested capacity {} too large: overflow while converting to raw capacity",
            n
        ),
    }
}

This function is called from try_reserve at line 753:

pub fn try_reserve(&mut self, additional: usize) -> Result<(), MaxSizeReached> {
    let cap = self
        .entries
        .len()
        .checked_add(additional)
        .ok_or_else(MaxSizeReached::new)?;

    let raw_cap = to_raw_capacity(cap);  // ← CAN PANIC HERE
    
    if raw_cap > self.indices.len() {
        let raw_cap = raw_cap
            .checked_next_power_of_two()
            .ok_or_else(MaxSizeReached::new)?;
        // ...
    }
}

I have a potential fix for this. Should I submit a PR?

[seanmonstar]

Has it panicked in a real application? It does look like you're right, but I wonder if it never happens in practice, or if it does happen.

[AriajSarkar]

Thanks for reviewing! You are right to ask about real world impact.
Let me clarify:

Can this happen in practice?

Yes, but it depends on the application architecture:

Real-World Scenarios:

1. Memory-constrained environments (32-bit systems, embedded, WASM):

   • On 32-bit: usize::MAX = 4,294,967,295
   • Overflow triggers at ~3.2 billion capacity
   • More realistic to hit in memory-limited contexts

2. Amplification attacks:

   • If applications call try_reserve() with user-influenced values (e.g., Content-Length header, expect: 100-continue scenarios)
   • Batch processing systems that accumulate headers from multiple requests

3. Library composition:

   • Downstream crates might wrap HeaderMap and pass through untrusted capacity values
   • Defense-in-depth principle: even if unlikely, try_* methods shouldn't panic

Why Fix Anyway?

API Contract: The bigger issue is the violation of Rust conventions. Methods prefixed with try_ explicitly promise to return Result instead of panicking. This is documented behavior that users rely on:

// Users expect this to NEVER panic:
if let Err(e) = map.try_reserve(untrusted_value) {
    // handle error gracefully
}

Currently, this assumption is violated for overflow cases.

Zero cost: The fix has no performance impact - we're already doing checked_add, just changing panic to error return. Same instructions, better behavior. (The Fix!!)

Soundness: Even if rare, having panic-on-overflow in a capacity calculation is a landmine. Better to fix proactively than wait for a CVE report.

From my search through the repository issues and changelog:

1. Issue HeaderMap::try_with_capacity can panic when capacity is large #709 (July 2, 2024): "HeaderMap::try_with_capacity can panic when capacity is large"

   • This is the EXACT same issue but for try_with_capacity()
   • Someone already reported this problem exists

2. Issue Arithmetic overflow found on with_capacity() #627 (Sep 19, 2023): "Arithmetic overflow found on with_capacity()"

   • Another report about arithmetic overflow in capacity calculations

3. Issue HeaderMap::from_iter panics when size is known #604 (Apr 27, 2023): "HeaderMap::from_iter panics when size is known"

   • Panic in HeaderMap due to capacity issues

4. CHANGELOG v0.2.10 (November 10, 2023):

   • "Fix HeaderMap::with_capacity() to handle arithmetic overflow."
   • The maintainers already fixed this once before!

5. CHANGELOG v1.1.0 (March 4, 2024):

   • "Add methods to allow trying to allocate in the HeaderMap, returning an error if oversize instead of panicking."
   • This is when try_reserve() and try_with_capacity() were added

The Problem:

The internal helper function to_raw_capacity() was never updated when the try_* methods were added in v1.1.0. It still panics instead of returning an error, which means:

• ✅ with_capacity() was fixed in v0.2.10 to handle overflow
• ✅ try_reserve() and try_with_capacity() were added in v1.1.0 to provide error handling
• ❌ But to_raw_capacity() still panics, defeating the purpose of the try_* methods

[seanmonstar]

Hm, I do appreciate you trying to help, really! But I didn't mean to generally ask an LLM, I can do that myself. I was asking if you had run into this panic.

[AriajSarkar]

You're right — I used AI to format that response and it came out way too verbose. My bad!

To directly answer: No, I haven't run into this panic in production.

I found this while reviewing the code for a project. I noticed try_reserve() calls to_raw_capacity() which panics, even though the try_ prefix means it should return a Result. I wrote a test to confirm it panics, then saw Issue #709 which reports the same problem for try_with_capacity().

The fix seemed straightforward — change to_raw_capacity() to return a Result instead of panicking — so I implemented it. All existing tests pass, and my test now returns an error instead of crashing.

I get that you might want to wait for someone who's actually hit this in the wild. But given #709 exists and the fix is literally just changing a panic to an error return (zero performance cost), I figured it was worth submitting.

Let me know if you'd rather close this until there's a confirmed production case!

[seanmonstar]

Fixing it seems like a fine idea, and likely pretty simple code wise. A PR is welcome :)