sc-allocator: Do not panic on invalid header pointer (#13925)

We should not panic on an invalid header pointer and instead return an error. It is possible that the application modifies the header pointer illegally, but then we should return an error instead of panicking.
paritytech · Apr 15, 2023 · f1e2fa4 · f1e2fa4
1 parent 3f8dc9e
commit f1e2fa4
Showing 1 changed file with 26 additions and 5 deletions.
diff --git a/client/allocator/src/freeing_bump.rs b/client/allocator/src/freeing_bump.rs
@@ -421,11 +421,11 @@ impl FreeingBumpHeapAllocator {
 
 		let header_ptr: u32 = match self.free_lists[order] {
 			Link::Ptr(header_ptr) => {
-				assert!(
-					u64::from(header_ptr + order.size() + HEADER_SIZE) <= mem.size(),
-					"Pointer is looked up in list of free entries, into which
-					only valid values are inserted; qed"
-				);
+				if (u64::from(header_ptr) + u64::from(order.size()) + u64::from(HEADER_SIZE)) >
+					mem.size()
+				{
+					return Err(error("Invalid header pointer detected"))
+				}
 
 				// Remove this header from the free list.
 				let next_free = Header::read_from(mem, header_ptr)?
@@ -1106,4 +1106,25 @@ mod tests {
 
 		assert_eq!(3, mem.pages());
 	}
+
+	#[test]
+	fn modifying_the_header_leads_to_an_error() {
+		let mut mem = MemoryInstance::with_pages(1);
+		let mut heap = FreeingBumpHeapAllocator::new(0);
+
+		let ptr = heap.allocate(&mut mem, 5).unwrap();
+
+		heap.deallocate(&mut mem, ptr).unwrap();
+
+		Header::Free(Link::Ptr(u32::MAX - 1))
+			.write_into(&mut mem, u32::from(ptr) - HEADER_SIZE)
+			.unwrap();
+
+		heap.allocate(&mut mem, 5).unwrap();
+		assert!(heap
+			.allocate(&mut mem, 5)
+			.unwrap_err()
+			.to_string()
+			.contains("Invalid header pointer"));
+	}
 }