Fix panic on consume in a mixed push/consume case
headerOffset() is incorrectly taking account of previous push(), so it thinks there is more data to consume. This change switches to use pk.reserved as pivot point. Reported-by: syzbot+64fef9acd509976f9ce7@syzkaller.appspotmail.com PiperOrigin-RevId: 373846283
This commit is contained in:
parent
78ae3db1a3
commit
436148d68a
|
@ -261,7 +261,7 @@ func (pk *PacketBuffer) consume(typ headerType, size int) (v tcpipbuffer.View, c
|
|||
if h.length > 0 {
|
||||
panic(fmt.Sprintf("consume must not be called twice: type %s", typ))
|
||||
}
|
||||
if pk.headerOffset()+pk.consumed+size > int(pk.buf.Size()) {
|
||||
if pk.reserved+pk.consumed+size > int(pk.buf.Size()) {
|
||||
return nil, false
|
||||
}
|
||||
h.offset = pk.consumed
|
||||
|
|
|
@ -259,6 +259,37 @@ func TestPacketHeaderPushConsumeMixed(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestPacketHeaderPushConsumeMixedTooLong(t *testing.T) {
|
||||
link := makeView(10)
|
||||
network := makeView(20)
|
||||
data := makeView(30)
|
||||
|
||||
initData := concatViews(network, data)
|
||||
pk := NewPacketBuffer(PacketBufferOptions{
|
||||
ReserveHeaderBytes: len(link),
|
||||
Data: buffer.NewViewFromBytes(initData).ToVectorisedView(),
|
||||
})
|
||||
|
||||
// 1. Push link header
|
||||
copy(pk.LinkHeader().Push(len(link)), link)
|
||||
|
||||
checkPacketContents(t, "" /* prefix */, pk, packetContents{
|
||||
link: link,
|
||||
data: initData,
|
||||
})
|
||||
|
||||
// 2. Consume network header, with a number of bytes too large.
|
||||
gotNetwork, ok := pk.NetworkHeader().Consume(len(initData) + 1)
|
||||
if ok {
|
||||
t.Fatalf("pk.NetworkHeader().Consume(%d) = %q, true; want _, false", len(initData)+1, gotNetwork)
|
||||
}
|
||||
|
||||
checkPacketContents(t, "" /* prefix */, pk, packetContents{
|
||||
link: link,
|
||||
data: initData,
|
||||
})
|
||||
}
|
||||
|
||||
func TestPacketHeaderPushCalledAtMostOnce(t *testing.T) {
|
||||
const headerSize = 10
|
||||
|
||||
|
|
Loading…
Reference in New Issue