Skip to content
This repository was archived by the owner on Nov 15, 2023. It is now read-only.

Commit f1e2fa4

Browse files
bkchrbkchr
authored
sc-allocator: Do not panic on invalid header pointer (#13925)
We should not panic on an invalid header pointer and instead return an error. It is possible that the application modifies the header pointer illegally, but then we should return an error instead of panicking.
1 parent 3f8dc9e commit f1e2fa4

File tree

1 file changed

+26
-5
lines changed

1 file changed

+26
-5
lines changed

client/allocator/src/freeing_bump.rs

+26-5
Original file line numberDiff line numberDiff line change
@@ -421,11 +421,11 @@ impl FreeingBumpHeapAllocator {
421421

422422
let header_ptr: u32 = match self.free_lists[order] {
423423
Link::Ptr(header_ptr) => {
424-
assert!(
425-
u64::from(header_ptr + order.size() + HEADER_SIZE) <= mem.size(),
426-
"Pointer is looked up in list of free entries, into which
427-
only valid values are inserted; qed"
428-
);
424+
if (u64::from(header_ptr) + u64::from(order.size()) + u64::from(HEADER_SIZE)) >
425+
mem.size()
426+
{
427+
return Err(error("Invalid header pointer detected"))
428+
}
429429

430430
// Remove this header from the free list.
431431
let next_free = Header::read_from(mem, header_ptr)?
@@ -1106,4 +1106,25 @@ mod tests {
11061106

11071107
assert_eq!(3, mem.pages());
11081108
}
1109+
1110+
#[test]
1111+
fn modifying_the_header_leads_to_an_error() {
1112+
let mut mem = MemoryInstance::with_pages(1);
1113+
let mut heap = FreeingBumpHeapAllocator::new(0);
1114+
1115+
let ptr = heap.allocate(&mut mem, 5).unwrap();
1116+
1117+
heap.deallocate(&mut mem, ptr).unwrap();
1118+
1119+
Header::Free(Link::Ptr(u32::MAX - 1))
1120+
.write_into(&mut mem, u32::from(ptr) - HEADER_SIZE)
1121+
.unwrap();
1122+
1123+
heap.allocate(&mut mem, 5).unwrap();
1124+
assert!(heap
1125+
.allocate(&mut mem, 5)
1126+
.unwrap_err()
1127+
.to_string()
1128+
.contains("Invalid header pointer"));
1129+
}
11091130
}

0 commit comments

Comments
 (0)