Handle OOM situations in iobuf expansion

scaprile · scaprile · commit 60c0d8de96ce · 2025-10-27T17:17:10.000-03:00
diff --git a/mongoose.c b/mongoose.c
diff --git a/mongoose.h b/mongoose.h
@@ -1488,8 +1488,8 @@ struct mg_iobuf {
   size_t align;        // Alignment during allocation
 };
 
-int mg_iobuf_init(struct mg_iobuf *, size_t, size_t);
-int mg_iobuf_resize(struct mg_iobuf *, size_t);
+bool mg_iobuf_init(struct mg_iobuf *, size_t, size_t);
+bool mg_iobuf_resize(struct mg_iobuf *, size_t);
 void mg_iobuf_free(struct mg_iobuf *);
 size_t mg_iobuf_add(struct mg_iobuf *, size_t, const void *, size_t);
 size_t mg_iobuf_del(struct mg_iobuf *, size_t ofs, size_t len);
diff --git a/src/iobuf.c b/src/iobuf.c
@@ -1,14 +1,14 @@
-#include "arch.h"
 #include "iobuf.h"
+#include "arch.h"
 #include "log.h"
 #include "util.h"
 
 static size_t roundup(size_t size, size_t align) {
   return align == 0 ? size : (size + align - 1) / align * align;
 }
 
-int mg_iobuf_resize(struct mg_iobuf *io, size_t new_size) {
-  int ok = 1;
+bool mg_iobuf_resize(struct mg_iobuf *io, size_t new_size) {
+  bool ok = true;
   new_size = roundup(new_size, io->align);
   if (new_size == 0) {
     mg_bzero(io->buf, io->size);
@@ -27,14 +27,14 @@ int mg_iobuf_resize(struct mg_iobuf *io, size_t new_size) {
       io->size = new_size;
       io->len = len;
     } else {
-      ok = 0;
+      ok = false;
       MG_ERROR(("%lld->%lld", (uint64_t) io->size, (uint64_t) new_size));
     }
   }
   return ok;
 }
 
-int mg_iobuf_init(struct mg_iobuf *io, size_t size, size_t align) {
+bool mg_iobuf_init(struct mg_iobuf *io, size_t size, size_t align) {
   io->buf = NULL;
   io->align = align;
   io->size = io->len = 0;
diff --git a/src/iobuf.h b/src/iobuf.h
@@ -9,8 +9,8 @@ struct mg_iobuf {
   size_t align;        // Alignment during allocation
 };
 
-int mg_iobuf_init(struct mg_iobuf *, size_t, size_t);
-int mg_iobuf_resize(struct mg_iobuf *, size_t);
+bool mg_iobuf_init(struct mg_iobuf *, size_t, size_t);
+bool mg_iobuf_resize(struct mg_iobuf *, size_t);
 void mg_iobuf_free(struct mg_iobuf *);
 size_t mg_iobuf_add(struct mg_iobuf *, size_t, const void *, size_t);
 size_t mg_iobuf_del(struct mg_iobuf *, size_t ofs, size_t len);
diff --git a/src/net_builtin.c b/src/net_builtin.c
@@ -1459,6 +1459,7 @@ bool mg_send(struct mg_connection *c, const void *buf, size_t len) {
                  len);
   } else {
     res = mg_iobuf_add(&c->send, c->send.len, buf, len);
+    // res == 0 means an OOM condition (iobuf couldn't resize), yet this is so far recoverable, let the caller decide
   }
   return res;
 }
diff --git a/src/sock.c b/src/sock.c
@@ -142,6 +142,8 @@ bool mg_send(struct mg_connection *c, const void *buf, size_t len) {
     return n > 0;
   } else {
     return mg_iobuf_add(&c->send, c->send.len, buf, len);
+    // returning 0 means an OOM condition (iobuf couldn't resize), yet this is
+    // so far recoverable, let the caller decide
   }
 }
 
@@ -163,7 +165,7 @@ static void mg_set_non_blocking_mode(MG_SOCKET_TYPE fd) {
 #elif MG_ARCH == MG_ARCH_THREADX
   // NetxDuo fails to send large blocks of data to the non-blocking sockets
   (void) fd;
-  //fcntl(fd, F_SETFL, O_NONBLOCK);
+  // fcntl(fd, F_SETFL, O_NONBLOCK);
 #elif MG_ARCH == MG_ARCH_TIRTOS
   int val = 0;
   setsockopt(fd, SOL_SOCKET, SO_BLOCKING, &val, sizeof(val));
@@ -195,9 +197,10 @@ void mg_multicast_add(struct mg_connection *c, char *ip) {
   struct ip_mreq mreq;
   mreq.imr_multiaddr.s_addr = inet_addr(ip);
   mreq.imr_interface.s_addr = mg_htonl(INADDR_ANY);
-  setsockopt(FD(c), IPPROTO_IP, IP_ADD_MEMBERSHIP, (char *) &mreq, sizeof(mreq));
-#endif // !Zephyr
-#endif // !lwIP
+  setsockopt(FD(c), IPPROTO_IP, IP_ADD_MEMBERSHIP, (char *) &mreq,
+             sizeof(mreq));
+#endif  // !Zephyr
+#endif  // !lwIP
 #endif
 }
 
@@ -315,9 +318,9 @@ static void read_conn(struct mg_connection *c) {
       if (n == MG_IO_ERR || n == MG_IO_RESET) {  // Windows, see #3031
         if (c->rtls.len == 0 || m < 0) {
           // Close only when we have fully drained both rtls and TLS buffers
-          c->is_closing = 1;  // or there's nothing we can do about it.
-          if (m < 0) m = MG_IO_ERR; // but return last record data, see #3104
-        } else { // see #2885
+          c->is_closing = 1;         // or there's nothing we can do about it.
+          if (m < 0) m = MG_IO_ERR;  // but return last record data, see #3104
+        } else {                     // see #2885
           // TLS buffer is capped to max record size, even though, there can
           // be more than one record, give TLS a chance to process them.
         }
@@ -367,7 +370,7 @@ static void connect_conn(struct mg_connection *c) {
     mg_call(c, MG_EV_CONNECT, NULL);
     MG_EPOLL_MOD(c, 0);
     if (c->is_tls_hs) mg_tls_handshake(c);
-    if (!c->is_tls_hs) c->is_tls = 0; // user did not call mg_tls_init()
+    if (!c->is_tls_hs) c->is_tls = 0;  // user did not call mg_tls_init()
   } else {
     mg_error(c, "socket error");
   }
@@ -419,9 +422,9 @@ void mg_connect_resolved(struct mg_connection *c) {
     rc = connect(FD(c), &usa.sa, slen);  // Attempt to connect
     if (rc == 0) {                       // Success
       setlocaddr(FD(c), &c->loc);
-      mg_call(c, MG_EV_CONNECT, NULL);  // Send MG_EV_CONNECT to the user
-      if (!c->is_tls_hs) c->is_tls = 0; // user did not call mg_tls_init()
-    } else if (MG_SOCK_PENDING(rc)) {   // Need to wait for TCP handshake
+      mg_call(c, MG_EV_CONNECT, NULL);   // Send MG_EV_CONNECT to the user
+      if (!c->is_tls_hs) c->is_tls = 0;  // user did not call mg_tls_init()
+    } else if (MG_SOCK_PENDING(rc)) {    // Need to wait for TCP handshake
       MG_DEBUG(("%lu %ld -> %M pend", c->id, c->fd, mg_print_ip_port, &c->rem));
       c->is_connecting = 1;
     } else {
@@ -481,7 +484,7 @@ static void accept_conn(struct mg_mgr *mgr, struct mg_connection *lsn) {
               &c->rem, mg_print_ip_port, &c->loc));
     mg_call(c, MG_EV_OPEN, NULL);
     mg_call(c, MG_EV_ACCEPT, NULL);
-    if (!c->is_tls_hs) c->is_tls = 0; // user did not call mg_tls_init()
+    if (!c->is_tls_hs) c->is_tls = 0;  // user did not call mg_tls_init()
   }
 }
 
diff --git a/src/ssi.c b/src/ssi.c
@@ -1,6 +1,6 @@
+#include "ssi.h"
 #include "log.h"
 #include "printf.h"
-#include "ssi.h"
 #include "util.h"
 
 #ifndef MG_MAX_SSI_DEPTH
@@ -31,31 +31,35 @@ static char *mg_ssi(const char *path, const char *root, int depth) {
           mg_snprintf(tmp, sizeof(tmp), "%.*s%s", (int) (p - path), path, arg);
           if (depth < MG_MAX_SSI_DEPTH &&
               (data = mg_ssi(tmp, root, depth + 1)) != NULL) {
-            mg_iobuf_add(&b, b.len, data, strlen(data));
+            size_t datalen = strlen(data);
+            size_t ret = mg_iobuf_add(&b, b.len, data, datalen);
             mg_free(data);
+            if (datalen > 0 && ret == 0) goto fail;
           } else {
             MG_ERROR(("%s: file=%s error or too deep", path, arg));
-          }
+          } // TODO(): or OOM at recursive call
         } else if (sscanf(buf, "<!--#include virtual=\"%[^\"]", arg) > 0) {
           char tmp[MG_PATH_MAX + MG_SSI_BUFSIZ + 10], *data;
           mg_snprintf(tmp, sizeof(tmp), "%s%s", root, arg);
           if (depth < MG_MAX_SSI_DEPTH &&
               (data = mg_ssi(tmp, root, depth + 1)) != NULL) {
-            mg_iobuf_add(&b, b.len, data, strlen(data));
+            size_t datalen = strlen(data);
+            size_t ret = mg_iobuf_add(&b, b.len, data, datalen);
             mg_free(data);
+            if (datalen > 0 && ret == 0) goto fail;
           } else {
             MG_ERROR(("%s: virtual=%s error or too deep", path, arg));
-          }
+          } // TODO(): or OOM at recursive call
         } else {
           // Unknown SSI tag
           MG_ERROR(("Unknown SSI tag: %.*s", (int) len, buf));
-          mg_iobuf_add(&b, b.len, buf, len);
+          if (len > 0 && mg_iobuf_add(&b, b.len, buf, len) == 0) goto fail;
         }
         intag = 0;
         len = 0;
       } else if (ch == '<') {
         intag = 1;
-        if (len > 0) mg_iobuf_add(&b, b.len, buf, len);
+        if (len > 0 && mg_iobuf_add(&b, b.len, buf, len) == 0) goto fail;
         len = 0;
         buf[len++] = (char) (ch & 0xff);
       } else if (intag) {
@@ -69,24 +73,33 @@ static char *mg_ssi(const char *path, const char *root, int depth) {
       } else {
         buf[len++] = (char) (ch & 0xff);
         if (len >= sizeof(buf)) {
-          mg_iobuf_add(&b, b.len, buf, len);
+          if (mg_iobuf_add(&b, b.len, buf, len) == 0) goto fail;
           len = 0;
         }
       }
     }
-    if (len > 0) mg_iobuf_add(&b, b.len, buf, len);
-    if (b.len > 0) mg_iobuf_add(&b, b.len, "", 1);  // nul-terminate
+    if (len > 0 && mg_iobuf_add(&b, b.len, buf, len) == 0) goto fail;
+    if (b.len > 0 && mg_iobuf_add(&b, b.len, "", 1) == 0)  // nul-terminate
+      goto fail;
     fclose(fp);
   }
   (void) depth;
   (void) root;
   return (char *) b.buf;
+
+fail:
+  fclose(fp);
+  return NULL;
 }
 
 void mg_http_serve_ssi(struct mg_connection *c, const char *root,
                        const char *fullpath) {
   const char *headers = "Content-Type: text/html; charset=utf-8\r\n";
   char *data = mg_ssi(fullpath, root, 0);
+  if (data == NULL) {
+    mg_error(c, "OOM");
+    return;
+  }
   mg_http_reply(c, 200, headers, "%s", data == NULL ? "" : data);
   mg_free(data);
 }
diff --git a/src/tls_builtin.c b/src/tls_builtin.c
diff --git a/src/ws.c b/src/ws.c

Original file line number	Diff line number	Diff line change
`@@ -1459,6 +1459,7 @@ bool mg_send(struct mg_connection c, const void buf, size_t len) {`
`1459`	`1459`	`len);`
`1460`	`1460`	`} else {`
`1461`	`1461`	`res = mg_iobuf_add(&c->send, c->send.len, buf, len);`
	`1462`	`+ // res == 0 means an OOM condition (iobuf couldn't resize), yet this is so far recoverable, let the caller decide`
`1462`	`1463`	`}`
`1463`	`1464`	`return res;`
`1464`	`1465`	`}`