Vincent Gramer reported in GH issue #3125 a case of crash on a BUG_ON()
condition in the rings. What happens is that a message that is one byte
less than the maximum ring size is emitted, and it passes all the checks,
but once inflated by the extra +1 for the refcount, it can no longer. But
the check was made based on message size compared to space left, except
that this space left can now be negative, which is a high positive for
size_t, so the check remained valid and triggered a BUG_ON() later.
Let's compute the size the other way around instead (i.e. current +
needed) since we can't have rings as large as half of the memory space
anyway, thus we have no risk of overflow on this one.
This needs to be backported to all versions supporting multi-threaded
rings (3.0 and above).
Thanks to Vincent for the easy and working reproducer.
(cherry picked from commit
d53ad49ad1713ee874097fff1b4a777141ca2a49)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
800da9eb7f13029b2f31cbafab13e4ddbbe5a2de)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
26a640832f0bdc4ccb50d7933bce262d92a49a08)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
vp_ring_to_data(&v1, &v2, ring_area, ring_size, head_ofs, tail_ofs);
- while (vp_size(v1, v2) > ring_size - needed - 1 - 1) {
+ while (vp_size(v1, v2) + needed + 1 + 1 > ring_size) {
/* we need to delete the oldest message (from the end),
* and we have to stop if there's a reader stuck there.
* Unless there's corruption in the buffer it's guaranteed
/* now let's update the buffer with the new tail if our message will fit */
new_tail_ofs = tail_ofs;
- if (vp_size(v1, v2) <= ring_size - needed - 1 - 1) {
+ if (vp_size(v1, v2) + needed + 1 + 1 <= ring_size) {
vp_data_to_ring(v1, v2, ring_area, ring_size, &head_ofs, &tail_ofs);
/* update the new space in the buffer */
projects / haproxy-3.0.git / commitdiff