fix memory corruption and other 32bit overflows

viabtc · Aug 8, 2018 · 5c2dc2b · 5c2dc2b
1 parent df3b4cb
commit 5c2dc2b
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 5 deletions.
diff --git a/network/nw_buf.c b/network/nw_buf.c
@@ -8,7 +8,9 @@
 # include "nw_buf.h"
 
 # define NW_BUF_POOL_INIT_SIZE 64
+# define NW_BUF_POOL_MAX_SIZE  65535
 # define NW_CACHE_INIT_SIZE    64
+# define NW_CACHE_MAX_SIZE     65535
 
 size_t nw_buf_size(nw_buf *buf)
 {
@@ -85,7 +87,7 @@ void nw_buf_free(nw_buf_pool *pool, nw_buf *buf)
 {
     if (pool->free < pool->free_total) {
         pool->free_arr[pool->free++] = buf;
-    } else {
+    } else if (pool->free_total < NW_BUF_POOL_MAX_SIZE) {
         uint32_t new_free_total = pool->free_total * 2;
         void *new_arr = realloc(pool->free_arr, new_free_total * sizeof(nw_buf *));
         if (new_arr) {
@@ -95,6 +97,8 @@ void nw_buf_free(nw_buf_pool *pool, nw_buf *buf)
         } else {
             free(buf);
         }
+    } else {
+        free(buf);
     }
 }
 
@@ -230,7 +234,7 @@ void nw_cache_free(nw_cache *cache, void *obj)
 {
     if (cache->free < cache->free_total) {
         cache->free_arr[cache->free++] = obj;
-    } else {
+    } else if (cache->free_total < NW_CACHE_MAX_SIZE) {
         uint32_t new_free_total = cache->free_total * 2;
         void *new_arr = realloc(cache->free_arr, new_free_total * sizeof(void *));
         if (new_arr) {
@@ -240,6 +244,8 @@ void nw_cache_free(nw_cache *cache, void *obj)
         } else {
             free(obj);
         }
+    } else {
+        free(obj);
     }
 }
 

diff --git a/utils/ut_rpc.c b/utils/ut_rpc.c
@@ -44,13 +44,19 @@ int rpc_pack(rpc_pkg *pkg, void **data, uint32_t *size)
 {
     static void *send_buf;
     static size_t send_buf_size;
-    uint32_t pkg_size = RPC_PKG_HEAD_SIZE + pkg->ext_size + pkg->body_size;
+    uint32_t pkg_size;
+    if (pkg->body_size > RPC_PKG_MAX_BODY_SIZE) {
+        return -1;
+    }
+    pkg_size = RPC_PKG_HEAD_SIZE + pkg->ext_size + pkg->body_size;
     if (send_buf_size < pkg_size) {
         if (send_buf)
             free(send_buf);
         send_buf_size = pkg_size * 2;
         send_buf = malloc(send_buf_size);
-        assert(send_buf != NULL);
+        if (send_buf == NULL) {
+            return -1;
+        }
     }
 
     memcpy(send_buf, pkg, RPC_PKG_HEAD_SIZE);

diff --git a/utils/ut_rpc.h b/utils/ut_rpc.h
@@ -32,6 +32,7 @@ typedef struct rpc_pkg {
 # pragma pack()
 
 # define RPC_PKG_HEAD_SIZE (sizeof(rpc_pkg) - sizeof(void *) * 2)
+# define RPC_PKG_MAX_BODY_SIZE ((UINT32_MAX / 2) - UINT16_MAX - sizeof(rpc_pkg))
 
 int rpc_decode(nw_ses *ses, void *data, size_t max);
 int rpc_pack(rpc_pkg *pkg, void **data, uint32_t *size);

diff --git a/utils/ut_ws_svr.c b/utils/ut_ws_svr.c
@@ -129,7 +129,7 @@ static int on_http_message_complete(http_parser* parser)
     if (upgrade == NULL || strcasecmp(upgrade, "websocket") != 0)
         goto error;
     const char *connection = http_request_get_header(info->request, "Connection");
-    if (connection == NULL)
+    if (connection == NULL || strlen(connection) > UT_WS_SVR_MAX_HEADER_SIZE)
         goto error;
     else {
         bool found_upgrade = false;

diff --git a/utils/ut_ws_svr.h b/utils/ut_ws_svr.h
@@ -12,6 +12,8 @@
 # include "nw_buf.h"
 # include "nw_timer.h"
 
+# define UT_WS_SVR_MAX_HEADER_SIZE 1024
+
 typedef struct ws_svr_cfg {
     uint32_t bind_count;
     nw_svr_bind *bind_arr;