From 4ac5db0d97e4ca2d6f97a687e9615951215fd7ce Mon Sep 17 00:00:00 2001
From: Garrett D'Amore <garrett@damore.org>
Date: Wed, 24 Apr 2024 01:11:15 -0700
Subject: fixes #1808 nng_msg_insert: munmap_chunk(): invalid pointer

With specific message sizes, we the shuffle of data for msg insert
can calculate the wrong value, leading to heap corruption.
This includes a stress test for msg insert to hopefully exercise
every reasonable edge case.
---
 src/core/message_test.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

(limited to 'src/core/message_test.c')

diff --git a/src/core/message_test.c b/src/core/message_test.c
index 20813c6d..35fca849 100644
--- a/src/core/message_test.c
+++ b/src/core/message_test.c
@@ -1,5 +1,5 @@
 //
-// Copyright 2021 Staysail Systems, Inc. <info@staysail.tech>
+// Copyright 2024 Staysail Systems, Inc. <info@staysail.tech>
 // Copyright 2018 Capitar IT Group BV <info@capitar.com>
 //
 // This software is supplied under the terms of the MIT License, a
@@ -349,7 +349,7 @@ test_msg_body_uint64(void)
 	nng_msg *msg;
 	uint64_t v;
 	uint8_t  data[] = { 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 2, 0,
-                0, 0, 0, 0, 0, 0, 3 };
+		 0, 0, 0, 0, 0, 0, 3 };
 
 	NUTS_PASS(nng_msg_alloc(&msg, 0));
 
@@ -452,7 +452,7 @@ test_msg_header_uint64(void)
 	nng_msg *msg;
 	uint64_t v;
 	uint8_t  data[] = { 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 2, 0,
-                0, 0, 0, 0, 0, 0, 3 };
+		 0, 0, 0, 0, 0, 0, 3 };
 
 	NUTS_PASS(nng_msg_alloc(&msg, 0));
 
@@ -485,7 +485,7 @@ void
 test_msg_capacity(void)
 {
 	nng_msg *msg;
-	char *   body;
+	char    *body;
 	char     junk[64];
 
 	NUTS_PASS(nng_msg_alloc(&msg, 0));
@@ -506,7 +506,7 @@ void
 test_msg_reserve(void)
 {
 	nng_msg *msg;
-	char *   body;
+	char    *body;
 
 	NUTS_PASS(nng_msg_alloc(&msg, 0));
 	NUTS_ASSERT(nng_msg_capacity(msg) == 32); // initial empty
@@ -522,6 +522,23 @@ test_msg_reserve(void)
 	nng_msg_free(msg);
 }
 
+void
+test_msg_insert_stress(void)
+{
+	char junk[1024];
+
+	for (int j = 0; j < 128; j++) {
+		for (int i = 0; i < 1024; i++) {
+			nng_msg *msg;
+			memset(junk, i % 32 + 'A', sizeof(junk));
+			nng_msg_alloc(&msg, j);
+			nng_msg_insert(msg, junk, i);
+			NUTS_ASSERT(memcmp(nng_msg_body(msg), junk, i) == 0);
+			nng_msg_free(msg);
+		}
+	}
+}
+
 TEST_LIST = {
 	{ "msg option", test_msg_option },
 	{ "msg empty", test_msg_empty },
@@ -549,5 +566,6 @@ TEST_LIST = {
 	{ "msg header u32", test_msg_header_uint64 },
 	{ "msg capacity", test_msg_capacity },
 	{ "msg reserve", test_msg_reserve },
+	{ "msg insert stress", test_msg_insert_stress },
 	{ NULL, NULL },
 };
-- 
cgit v1.2.3-70-g09d2