sc-allocator: Do not panic on invalid header pointer (paritytech#13925)

We should not panic on an invalid header pointer and instead return an error. It is possible that the application modifies the header pointer illegally, but then we should return an error instead of panicking.
nathanwhit · Jul 19, 2023 · d9940e8 · d9940e8
1 parent 5a0ab09
commit d9940e8
Showing 1 changed file with 26 additions and 5 deletions.
diff --git a/client/allocator/src/freeing_bump.rs b/client/allocator/src/freeing_bump.rs
@@ -421,11 +421,11 @@ impl FreeingBumpHeapAllocator {
 
 		let header_ptr: u32 = match self.free_lists[order] {
 			Link::Ptr(header_ptr) => {
-				assert!(
-					u64::from(header_ptr + order.size() + HEADER_SIZE) <= mem.size(),
-					"Pointer is looked up in list of free entries, into which
-					only valid values are inserted; qed"
-				);
+				if (u64::from(header_ptr) + u64::from(order.size()) + u64::from(HEADER_SIZE)) >
+					mem.size()
+				{
+					return Err(error("Invalid header pointer detected"))
+				}
 
 				// Remove this header from the free list.
 				let next_free = Header::read_from(mem, header_ptr)?
@@ -1106,4 +1106,25 @@ mod tests {
 
 		assert_eq!(3, mem.pages());
 	}
+
+	#[test]
+	fn modifying_the_header_leads_to_an_error() {
+		let mut mem = MemoryInstance::with_pages(1);
+		let mut heap = FreeingBumpHeapAllocator::new(0);
+
+		let ptr = heap.allocate(&mut mem, 5).unwrap();
+
+		heap.deallocate(&mut mem, ptr).unwrap();
+
+		Header::Free(Link::Ptr(u32::MAX - 1))
+			.write_into(&mut mem, u32::from(ptr) - HEADER_SIZE)
+			.unwrap();
+
+		heap.allocate(&mut mem, 5).unwrap();
+		assert!(heap
+			.allocate(&mut mem, 5)
+			.unwrap_err()
+			.to_string()
+			.contains("Invalid header pointer"));
+	}
 }