maybe target_size crash (#837)

* if amq not disconnect when return AMQP_STATUS_BAD_AMQP_DATA, maybe crash in consume_data when next receive data. because it change state->target_size but not allocate state->inbound_buffer. line 222 (bytes_consumed = consume_data(state, &received_data);)
alanxz · Jul 11, 2024 · e7b632c · e7b632c
1 parent 9d642be
commit e7b632c
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/librabbitmq/amqp_connection.c b/librabbitmq/amqp_connection.c
@@ -269,8 +269,8 @@ int amqp_handle_input(amqp_connection_state_t state, amqp_bytes_t received_data,
         return AMQP_STATUS_BAD_AMQP_DATA;
       }
 
-      state->target_size = frame_size + HEADER_SIZE + FOOTER_SIZE;
-      if ((size_t)state->frame_max < state->target_size) {
+      frame_size = frame_size + HEADER_SIZE + FOOTER_SIZE;
+      if ((size_t)state->frame_max < frame_size) {
         return AMQP_STATUS_BAD_AMQP_DATA;
       }
 
@@ -279,16 +279,15 @@ int amqp_handle_input(amqp_connection_state_t state, amqp_bytes_t received_data,
         return AMQP_STATUS_NO_MEMORY;
       }
 
-      amqp_pool_alloc_bytes(channel_pool, state->target_size,
-                            &state->inbound_buffer);
+      amqp_pool_alloc_bytes(channel_pool, frame_size, &state->inbound_buffer);
       if (NULL == state->inbound_buffer.bytes) {
         return AMQP_STATUS_NO_MEMORY;
       }
       memcpy(state->inbound_buffer.bytes, state->header_buffer, HEADER_SIZE);
       raw_frame = state->inbound_buffer.bytes;
 
       state->state = CONNECTION_STATE_BODY;
-
+      state->target_size = frame_size;
       bytes_consumed += consume_data(state, &received_data);
 
       /* do we have target_size data yet? if not, return with the