From: Vsevolod Stakhov Date: Sat, 18 Apr 2026 16:33:07 +0000 (+0100) Subject: [Fix] async_session: review fixes — redis label safety, overflow naming X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=afbd97cbadebc050ed94dc1567451d661fe02957;p=thirdparty%2Frspamd.git [Fix] async_session: review fixes — redis label safety, overflow naming - lua_redis: args[0] is allocated as g_malloc(arglens[0]) + memcpy and is NOT NUL-terminated, so reusing it as a diagnostic label (read later via %s) could read past the buffer. Store a dedicated g_strdup'd copy of the command in sp_ud->cmd and use that for the event label; free it alongside args in the dtor. - async_session: the overflow counter increments once per event that could not be placed into the first 32 dump groups, not once per lost group. Rename overflow_groups -> overflow_events and reword the suffix to "(+N events not shown)" so the message matches reality (the lost events may belong to any number of groups). --- diff --git a/src/libserver/async_session.c b/src/libserver/async_session.c index 50febb8b00..2eae3dbac9 100644 --- a/src/libserver/async_session.c +++ b/src/libserver/async_session.c @@ -386,7 +386,10 @@ rspamd_session_describe_pending(struct rspamd_async_session *session) GString *out; unsigned int total = 0; unsigned int n_groups = 0; - unsigned int overflow_groups = 0; + /* Events that did not fit into the first RSPAMD_DUMP_MAX_GROUPS groups — + * these may belong to any number of distinct groups; we cannot tell without + * spending more memory, so we just report the event count. */ + unsigned int overflow_events = 0; unsigned int i; struct dump_group { @@ -426,7 +429,7 @@ rspamd_session_describe_pending(struct rspamd_async_session *session) g->count = 0; } else { - overflow_groups++; + overflow_events++; } } @@ -462,8 +465,8 @@ rspamd_session_describe_pending(struct rspamd_async_session *session) rspamd_printf_gstring(out, "=%ud", g->count); } - if (overflow_groups > 0) { - rspamd_printf_gstring(out, ", (+%ud more groups)", overflow_groups); + if (overflow_events > 0) { + rspamd_printf_gstring(out, ", (+%ud events not shown)", overflow_events); } return out; diff --git a/src/lua/lua_redis.c b/src/lua/lua_redis.c index 852be43054..b08f448580 100644 --- a/src/lua/lua_redis.c +++ b/src/lua/lua_redis.c @@ -131,6 +131,9 @@ struct lua_redis_request_specific_userdata { unsigned int nargs; char **args; gsize *arglens; + /* NUL-terminated copy of args[0] for diagnostic labels; args[0] itself is + * sized to arglens[0] and is not NUL-terminated */ + char *cmd; struct lua_redis_userdata *common_ud; struct lua_redis_ctx *ctx; struct lua_redis_request_specific_userdata *next; @@ -223,6 +226,7 @@ lua_redis_dtor(struct lua_redis_ctx *ctx) LL_FOREACH_SAFE(ud->specific, cur, tmp) { lua_redis_free_args(cur->args, cur->arglens, cur->nargs); + g_free(cur->cmd); if (cur->cbref != -1) { luaL_unref(ud->cfg->lua_state, LUA_REGISTRYINDEX, cur->cbref); @@ -1215,6 +1219,7 @@ lua_redis_make_request(lua_State *L) lua_gettable(L, -2); cmd = lua_tostring(L, -1); lua_pop(L, 1); + sp_ud->cmd = g_strdup(cmd); lua_pushstring(L, "timeout"); lua_gettable(L, 1); @@ -1244,7 +1249,7 @@ lua_redis_make_request(lua_State *L) rspamd_session_add_event_full(ud->s, lua_redis_fin, sp_ud, M, - sp_ud->nargs > 0 ? sp_ud->args[0] : NULL); + sp_ud->cmd); if (ud->item) { rspamd_symcache_item_async_inc(ud->task, ud->item, M); @@ -1580,6 +1585,7 @@ lua_redis_add_cmd(lua_State *L) } sp_ud->ctx = ctx; + sp_ud->cmd = g_strdup(cmd); lua_redis_parse_args(L, args_pos, cmd, &sp_ud->args, &sp_ud->arglens, &sp_ud->nargs); @@ -1616,7 +1622,7 @@ lua_redis_add_cmd(lua_State *L) lua_redis_fin, sp_ud, M, - sp_ud->nargs > 0 ? sp_ud->args[0] : NULL); + sp_ud->cmd); if (ud->item) { rspamd_symcache_item_async_inc(ud->task, ud->item, M);