compression buffer was not reused correctly

when the compression buffer was reused for multiple statistics
requests, responses could grow beyond the correct size. this was
because the buffer was not cleared before reuse; compressed data
was still written to the beginning of the buffer, but then the size
of used region was increased by the amount written, rather than set
to the amount written. this caused responses to grow larger and
larger, potentially reading past the end of the allocated buffer.

diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
index e4c7d716994a177a4c91781a1dcdd217d79c2f6a..9e2ea2ea389b41f659f34fa0db84c86d9c1e2326 100644 (file)
--- a/lib/isc/httpd.c
+++ b/lib/isc/httpd.c
@@ -202,6 +202,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
        if (r.base != NULL) {
                isc_mem_put(mctx, r.base, r.length);
        }
+
+       isc_buffer_initnull(buffer);
 }
 
 isc_result_t
@@ -864,6 +866,7 @@ httpd_compress(isc_httpd_t *httpd) {
 
        inputlen = isc_buffer_usedlength(&httpd->bodybuffer);
        alloc_compspace(httpd, inputlen);
+       isc_buffer_clear(&httpd->compbuffer);
        isc_buffer_region(&httpd->compbuffer, &r);
 
        /*