AbstractByteBuf readSlice bound check bug

Motivation: AbstractByteBuf#readSlice relied upon the bounds checking of the slice operation in order to detect index out of bounds conditions. However the slice bounds checking operation allows for the slice to go beyond the writer index, and this is out of bounds for a read operation. Modifications: - AbstractByteBuf#readSlice and AbstractByteBuf#readRetainedSlice should ensure the desired amount of bytes are readable before taking a slice Result: No reading of undefined data in AbstractByteBuf#readSlice and AbstractByteBuf#readRetainedSlice.
2017-11-17 14:50:09 -08:00 · 2017-11-17 14:50:09 -08:00 · 5ca273814f
commit 5ca273814f
parent ae7436813a
4 changed files with 26 additions and 2 deletions
--- a/buffer/src/main/java/io/netty/buffer/AbstractByteBuf.java
+++ b/buffer/src/main/java/io/netty/buffer/AbstractByteBuf.java
@ -686,6 +686,7 @@ public abstract class AbstractByteBuf extends ByteBuf {

    @Override
    public ByteBuf readSlice(int length) {
+        checkReadableBytes(length);
        ByteBuf slice = slice(readerIndex, length);
        readerIndex += length;
        return slice;
--- a/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java
+++ b/buffer/src/test/java/io/netty/buffer/AbstractByteBufTest.java
@ -2719,6 +2719,18 @@ public abstract class AbstractByteBufTest {
        assertEquals(0, buf.refCnt());
    }

+    @Test(expected = IndexOutOfBoundsException.class)
+    public void testReadSliceOutOfBounds() {
+        ByteBuf buf = newBuffer(100);
+        try {
+            buf.writeZero(50);
+            buf.readSlice(51);
+            fail();
+        } finally {
+            buf.release();
+        }
+    }
+
    @Test
    public void testDuplicateRelease() {
        ByteBuf buf = newBuffer(8);
--- a/buffer/src/test/java/io/netty/buffer/SimpleLeakAwareByteBufTest.java
+++ b/buffer/src/test/java/io/netty/buffer/SimpleLeakAwareByteBufTest.java
@ -25,6 +25,7 @@ import java.util.Queue;

 import static org.junit.Assert.assertSame;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assume.assumeTrue;

 public class SimpleLeakAwareByteBufTest extends BigEndianHeapByteBufTest {
    private final Class<? extends ByteBuf> clazz = leakClass();
@ -84,7 +85,12 @@ public class SimpleLeakAwareByteBufTest extends BigEndianHeapByteBufTest {

    @Test
    public void testWrapReadSlice() {
-        assertWrapped(newBuffer(8).readSlice(1));
+        ByteBuf buffer = newBuffer(8);
+        if (buffer.isReadable()) {
+            assertWrapped(buffer.readSlice(1));
+        } else {
+            assertTrue(buffer.release());
+        }
    }

    @Test
--- a/buffer/src/test/java/io/netty/buffer/SimpleLeakAwareCompositeByteBufTest.java
+++ b/buffer/src/test/java/io/netty/buffer/SimpleLeakAwareCompositeByteBufTest.java
@ -81,7 +81,12 @@ public class SimpleLeakAwareCompositeByteBufTest extends WrappedCompositeByteBuf

    @Test
    public void testWrapReadSlice() {
-        assertWrapped(newBuffer(8).readSlice(1));
+        ByteBuf buffer = newBuffer(8);
+        if (buffer.isReadable()) {
+            assertWrapped(buffer.readSlice(1));
+        } else {
+            assertTrue(buffer.release());
+        }
    }

    @Test