Skip to content

router: fix buffer overflow double-counting when decoding buffer and data are the same object#44346

Open
wdauchy wants to merge 5 commits intoenvoyproxy:mainfrom
wdauchy:fix/buffer-redirect-double-count
Open

router: fix buffer overflow double-counting when decoding buffer and data are the same object#44346
wdauchy wants to merge 5 commits intoenvoyproxy:mainfrom
wdauchy:fix/buffer-redirect-double-count

Conversation

@wdauchy
Copy link
Copy Markdown
Contributor

@wdauchy wdauchy commented Apr 9, 2026

Commit Message:
When an upstream filter (e.g. envoy.filters.http.buffer) buffers the entire request body before passing it to the router, the shared buffered_request_data_ is passed directly as the data argument to decodeData(). The buffer overflow check computed
decodingBuffer().length() + data.length(), but since both refer to the same object, this double-counted the payload size.

This caused requests with body size between limit/2 and limit to incorrectly trigger buffer overflow, setting request_buffer_overflowed_ and cancelling internal redirects.

The fix detects pointer equality between decodingBuffer() and data, mirroring the existing same-buffer guard in commonHandleBufferData().

tentative fix for #44128
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

@wdauchy
router: fix buffer overflow double-counting when decoding buffer and …
3fac966 
…data are the same object

When an upstream filter (e.g. envoy.filters.http.buffer) buffers the
entire request body before passing it to the router, the shared
buffered_request_data_ is passed directly as the `data` argument to
decodeData(). The buffer overflow check computed
`decodingBuffer().length() + data.length()`, but since both refer to
the same object, this double-counted the payload size.

This caused requests with body size between limit/2 and limit to
incorrectly trigger buffer overflow, setting request_buffer_overflowed_
and cancelling internal redirects.

The fix detects pointer equality between decodingBuffer() and data,
mirroring the existing same-buffer guard in commonHandleBufferData().

tentative fix for envoyproxy#44128

Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Apr 9, 2026

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #44346 was opened by wdauchy.

see: more, trace.

wbpcode
wbpcode reviewed Apr 9, 2026
View reviewed changes
wdauchy added 3 commits April 9, 2026 11:36
@wdauchy
address comments
d913c96 
Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
@wdauchy
Merge remote-tracking branch 'upstream/main' into fix/buffer-redirect…
3a4ee80 
…-double-count
@wdauchy
fix CI
8e56feb 
Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
@wdauchy wdauchy marked this pull request as ready for review April 9, 2026 09:40
@wdauchy wdauchy requested a review from wbpcode April 9, 2026 09:41
@wdauchy
fix
c07cd34 
Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
@wdauchy
Copy link
Copy Markdown
Contributor Author

wdauchy commented Apr 9, 2026

/retest transients

@wdauchy wdauchy mentioned this pull request Apr 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbpcode wbpcode Awaiting requested review from wbpcode

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wdauchy @wbpcode