Skip to content

router: fix buffer overflow double-counting when decoding buffer and data are the same object #44346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wdauchy wants to merge 5 commits into
base: main
Choose a base branch
from
+43 −3

fix

c07cd34
Select commit
Loading
Failed to load commit list.
Open

router: fix buffer overflow double-counting when decoding buffer and data are the same object #44346

fix
c07cd34
Select commit
Loading
Failed to load commit list.
CI (Envoy) / Envoy/Prechecks succeeded Apr 9, 2026 in 26m 57s

Envoy/Prechecks (success)

Check has finished

Details

Check run finished (success ✔️)

The check run can be viewed here:

Envoy/Prechecks (pr/44346/main@c07cd34)

Check started by

Request (pr/44346/main@c07cd34)

wdauchy @wdauchy c07cd34 #44346 merge main@94828ca

router: fix buffer overflow double-counting when decoding buffer and data are the same object

Commit Message:
When an upstream filter (e.g. envoy.filters.http.buffer) buffers the entire request body before passing it to the router, the shared buffered_request_data_ is passed directly as the data argument to decodeData(). The buffer overflow check computed
decodingBuffer().length() + data.length(), but since both refer to the same object, this double-counted the payload size.

This caused requests with body size between limit/2 and limit to incorrectly trigger buffer overflow, setting request_buffer_overflowed_ and cancelling internal redirects.

The fix detects pointer equality between decodingBuffer() and data, mirroring the existing same-buffer guard in commonHandleBufferData().

tentative fix for #44128
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

Environment

Request variables

Key Value
ref 5940bbc
sha c07cd34
pr 44346
base-sha 94828ca
actor wdauchy @wdauchy
message router: fix buffer overflow double-counting when decoding buffer and data are the same object...
started 1775729960.119927
target-branch main
trusted false
Build image

Container image/s (as used in this CI run)

Key Value
default docker.io/envoyproxy/envoy-build:86873047235e9b8232df989a5999b9bebf9db69c
mobile docker.io/envoyproxy/envoy-build:mobile-86873047235e9b8232df989a5999b9bebf9db69c
Version

Envoy version (as used in this CI run)

Key Value
major 1
minor 38
patch 0
dev true
View more details on CI (Envoy)