Merge pull request #12008 from ncteisen/fuzz-direct-leak-in-malloc

Fix leak if duplicated static metadata
pull/12014/head
Noah Eisen 7 years ago committed by GitHub
commit c073e43488
  1. 15
      src/core/lib/surface/call.c
  2. BIN
      test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-4688823906729984
  3. 23
      tools/run_tests/generated/tests.json

@ -825,7 +825,7 @@ uint32_t grpc_call_test_only_get_encodings_accepted_by_peer(grpc_call *call) {
return encodings_accepted_by_peer; return encodings_accepted_by_peer;
} }
static grpc_linked_mdelem *linked_from_md(grpc_metadata *md) { static grpc_linked_mdelem *linked_from_md(const grpc_metadata *md) {
return (grpc_linked_mdelem *)&md->internal_data; return (grpc_linked_mdelem *)&md->internal_data;
} }
@ -849,7 +849,7 @@ static int prepare_application_metadata(
for (i = 0; i < total_count; i++) { for (i = 0; i < total_count; i++) {
const grpc_metadata *md = const grpc_metadata *md =
get_md_elem(metadata, additional_metadata, i, count); get_md_elem(metadata, additional_metadata, i, count);
grpc_linked_mdelem *l = (grpc_linked_mdelem *)&md->internal_data; grpc_linked_mdelem *l = linked_from_md(md);
GPR_ASSERT(sizeof(grpc_linked_mdelem) == sizeof(md->internal_data)); GPR_ASSERT(sizeof(grpc_linked_mdelem) == sizeof(md->internal_data));
if (!GRPC_LOG_IF_ERROR("validate_metadata", if (!GRPC_LOG_IF_ERROR("validate_metadata",
grpc_validate_header_key_is_legal(md->key))) { grpc_validate_header_key_is_legal(md->key))) {
@ -866,7 +866,7 @@ static int prepare_application_metadata(
for (int j = 0; j < i; j++) { for (int j = 0; j < i; j++) {
const grpc_metadata *md = const grpc_metadata *md =
get_md_elem(metadata, additional_metadata, j, count); get_md_elem(metadata, additional_metadata, j, count);
grpc_linked_mdelem *l = (grpc_linked_mdelem *)&md->internal_data; grpc_linked_mdelem *l = linked_from_md(md);
GRPC_MDELEM_UNREF(exec_ctx, l->md); GRPC_MDELEM_UNREF(exec_ctx, l->md);
} }
return 0; return 0;
@ -884,9 +884,12 @@ static int prepare_application_metadata(
} }
for (i = 0; i < total_count; i++) { for (i = 0; i < total_count; i++) {
grpc_metadata *md = get_md_elem(metadata, additional_metadata, i, count); grpc_metadata *md = get_md_elem(metadata, additional_metadata, i, count);
GRPC_LOG_IF_ERROR( grpc_linked_mdelem *l = linked_from_md(md);
"prepare_application_metadata", grpc_error *error = grpc_metadata_batch_link_tail(exec_ctx, batch, l);
grpc_metadata_batch_link_tail(exec_ctx, batch, linked_from_md(md))); if (error != GRPC_ERROR_NONE) {
GRPC_MDELEM_UNREF(exec_ctx, l->md);
}
GRPC_LOG_IF_ERROR("prepare_application_metadata", error);
} }
call->send_extra_metadata_count = 0; call->send_extra_metadata_count = 0;

@ -92736,6 +92736,29 @@
], ],
"uses_polling": false "uses_polling": false
}, },
{
"args": [
"test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-4688823906729984"
],
"ci_platforms": [
"linux"
],
"cpu_cost": 0.1,
"exclude_configs": [
"tsan"
],
"exclude_iomgrs": [
"uv"
],
"flaky": false,
"language": "c",
"name": "api_fuzzer_one_entry",
"platforms": [
"mac",
"linux"
],
"uses_polling": false
},
{ {
"args": [ "args": [
"test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-5175380371570688" "test/core/end2end/fuzzers/api_fuzzer_corpus/clusterfuzz-testcase-minimized-5175380371570688"

Loading…
Cancel
Save