[TD-5784]<fix>: fixed potential memory leak bugs in HTTP module

c9e176df · xywang · 45cb4333 · c9e176df · c9e176df
显示空白变更内容
内联并排

Showing with 46 addition and 12 deletion

src/plugins/http/src/httpParser.c src/plugins/http/src/httpParser.c +34 -8

src/plugins/http/src/httpUtil.c src/plugins/http/src/httpUtil.c +12 -4

未找到文件。
--- a/src/plugins/http/src/httpParser.c
+++ b/src/plugins/http/src/httpParser.c
@@ -101,13 +101,17 @@ char *httpGetStatusDesc(int32_t statusCode) {
 }

 static void httpCleanupString(HttpString *str) {
+  if (str->str) {
    free(str->str);
    str->str = NULL;
    str->pos = 0;
    str->size = 0;
+  }
 }

 static int32_t httpAppendString(HttpString *str, const char *s, int32_t len) {
+  char *new_str = NULL;
+
  if (str->size == 0) {
    str->pos = 0;
    str->size = len + 1;
@@ -115,7 +119,16 @@ static int32_t httpAppendString(HttpString *str, const char *s, int32_t len) {
  } else if (str->pos + len + 1 >= str->size) {
    str->size += len;
    str->size *= 4;
-    str->str = realloc(str->str, str->size);
+
+    new_str = realloc(str->str, str->size);
+    if (new_str == NULL && str->str) {
+      // if str->str was not NULL originally,
+      // the old allocated memory was left unchanged,
+      // see man 3 realloc
+      free(str->str);
+    }
+
+    str->str = new_str;
  } else {
  }

@@ -317,7 +330,7 @@ static int32_t httpOnParseHeaderField(HttpParser *parser, const char *key, const

 static int32_t httpOnBody(HttpParser *parser, const char *chunk, int32_t len) {
  HttpContext *pContext = parser->pContext;
-  HttpString * buf = &parser->body;
+  HttpString *buf = &parser->body;
  if (parser->parseCode != TSDB_CODE_SUCCESS) return -1;

  if (buf->size <= 0) {
@@ -326,6 +339,7 @@ static int32_t httpOnBody(HttpParser *parser, const char *chunk, int32_t len) {
  }

  int32_t newSize = buf->pos + len + 1;
+  char *newStr = NULL;
  if (newSize >= buf->size) {
    if (buf->size >= HTTP_BUFFER_SIZE) {
      httpError("context:%p, fd:%d, failed parse body, exceeding buffer size %d", pContext, pContext->fd, buf->size);
@@ -336,7 +350,12 @@ static int32_t httpOnBody(HttpParser *parser, const char *chunk, int32_t len) {
    newSize = MAX(newSize, HTTP_BUFFER_INIT);
    newSize *= 4;
    newSize = MIN(newSize, HTTP_BUFFER_SIZE);
-    buf->str = realloc(buf->str, newSize);
+    newStr = realloc(buf->str, newSize);
+    if (newStr == NULL && buf->str) {
+      free(buf->str);
+    }
+
+    buf->str = newStr;
    buf->size = newSize;

    if (buf->str == NULL) {
@@ -374,13 +393,20 @@ static HTTP_PARSER_STATE httpTopStack(HttpParser *parser) {

 static int32_t httpPushStack(HttpParser *parser, HTTP_PARSER_STATE state) {
  HttpStack *stack = &parser->stacks;
+  int8_t *newStacks = NULL;
  if (stack->size == 0) {
    stack->pos = 0;
    stack->size = 32;
    stack->stacks = malloc(stack->size * sizeof(int8_t));
  } else if (stack->pos + 1 > stack->size) {
    stack->size *= 2;
-    stack->stacks = realloc(stack->stacks, stack->size * sizeof(int8_t));
+
+    newStacks = realloc(stack->stacks, stack->size * sizeof(int8_t));
+    if (newStacks == NULL && stack->stacks) {
+      free(stack->stacks);
+    }
+
+    stack->stacks = newStacks;
  } else {
  }


--- a/src/plugins/http/src/httpUtil.c
+++ b/src/plugins/http/src/httpUtil.c
@@ -188,13 +188,17 @@ bool httpMallocMultiCmds(HttpContext *pContext, int32_t cmdSize, int32_t bufferS
 bool httpReMallocMultiCmdsSize(HttpContext *pContext, int32_t cmdSize) {
  HttpSqlCmds *multiCmds = pContext->multiCmds;

-  if (cmdSize > HTTP_MAX_CMD_SIZE) {
+  if (cmdSize <= 0 && cmdSize > HTTP_MAX_CMD_SIZE) {
    httpError("context:%p, fd:%d, user:%s, mulitcmd size:%d large then %d", pContext, pContext->fd, pContext->user,
              cmdSize, HTTP_MAX_CMD_SIZE);
    return false;
  }

-  multiCmds->cmds = (HttpSqlCmd *)realloc(multiCmds->cmds, (size_t)cmdSize * sizeof(HttpSqlCmd));
+  HttpSqlCmd *new_cmds = (HttpSqlCmd *)realloc(multiCmds->cmds, (size_t)cmdSize * sizeof(HttpSqlCmd));
+  if (new_cmds == NULL && multiCmds->cmds) {
+    free(multiCmds->cmds);
+  }
+  multiCmds->cmds = new_cmds;
  if (multiCmds->cmds == NULL) {
    httpError("context:%p, fd:%d, user:%s, malloc cmds:%d error", pContext, pContext->fd, pContext->user, cmdSize);
    return false;
@@ -208,13 +212,17 @@ bool httpReMallocMultiCmdsSize(HttpContext *pContext, int32_t cmdSize) {
 bool httpReMallocMultiCmdsBuffer(HttpContext *pContext, int32_t bufferSize) {
  HttpSqlCmds *multiCmds = pContext->multiCmds;

-  if (bufferSize > HTTP_MAX_BUFFER_SIZE) {
+  if (bufferSize <= 0 || bufferSize > HTTP_MAX_BUFFER_SIZE) {
    httpError("context:%p, fd:%d, user:%s, mulitcmd buffer size:%d large then %d", pContext, pContext->fd,
              pContext->user, bufferSize, HTTP_MAX_BUFFER_SIZE);
    return false;
  }

-  multiCmds->buffer = (char *)realloc(multiCmds->buffer, (size_t)bufferSize);
+  char *new_buffer = (char *)realloc(multiCmds->buffer, (size_t)bufferSize);
+  if (new_buffer == NULL && multiCmds->buffer) {
+    free(multiCmds->buffer);
+  }
+  multiCmds->buffer = new_buffer;
  if (multiCmds->buffer == NULL) {
    httpError("context:%p, fd:%d, user:%s, malloc buffer:%d error", pContext, pContext->fd, pContext->user, bufferSize);
    return false;