fix: do not panic while encoding oversized bodies (#1142)

crepererum · web-flow · commit 33e22bbc5ef1 · 2022-11-10T11:07:35.000-05:00
Fixes #1141.
diff --git a/tonic/src/codec/encode.rs b/tonic/src/codec/encode.rs
@@ -119,19 +119,26 @@ where
     }
 
     // now that we know length, we can write the header
-    Ok(finish_encoding(compression_encoding, buf))
+    finish_encoding(compression_encoding, buf)
 }
 
-fn finish_encoding(compression_encoding: Option<CompressionEncoding>, buf: &mut BytesMut) -> Bytes {
+fn finish_encoding(
+    compression_encoding: Option<CompressionEncoding>,
+    buf: &mut BytesMut,
+) -> Result<Bytes, Status> {
     let len = buf.len() - HEADER_SIZE;
-    assert!(len <= std::u32::MAX as usize);
+    if len > std::u32::MAX as usize {
+        return Err(Status::resource_exhausted(format!(
+            "Cannot return body with more than 4GB of data but got {len} bytes"
+        )));
+    }
     {
         let mut buf = &mut buf[..HEADER_SIZE];
         buf.put_u8(compression_encoding.is_some() as u8);
         buf.put_u32(len as u32);
     }
 
-    buf.split_to(len + HEADER_SIZE).freeze()
+    Ok(buf.split_to(len + HEADER_SIZE).freeze())
 }
 
 #[derive(Debug)]
diff --git a/tonic/src/codec/prost.rs b/tonic/src/codec/prost.rs
@@ -136,6 +136,39 @@ mod tests {
         }
     }
 
+    // skip on windows because CI stumbles over our 4GB allocation
+    #[cfg(not(target_family = "windows"))]
+    #[tokio::test]
+    async fn encode_too_big() {
+        let encoder = MockEncoder::default();
+
+        let msg = vec![0u8; u32::MAX as usize + 1];
+
+        let messages = std::iter::once(Ok::<_, Status>(msg));
+        let source = futures_util::stream::iter(messages);
+
+        let body = encode_server(
+            encoder,
+            source,
+            None,
+            SingleMessageCompressionOverride::default(),
+        );
+
+        futures_util::pin_mut!(body);
+
+        assert!(body.data().await.is_none());
+        assert_eq!(
+            body.trailers()
+                .await
+                .expect("no error polling trailers")
+                .expect("some trailers")
+                .get("grpc-status")
+                .expect("grpc-status header"),
+            "8"
+        );
+        assert!(body.is_end_stream());
+    }
+
     #[derive(Debug, Clone, Default)]
     struct MockEncoder;
 

Original file line number	Diff line number	Diff line change
`@@ -119,19 +119,26 @@ where`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`// now that we know length, we can write the header`
`122`		`- Ok(finish_encoding(compression_encoding, buf))`
	`122`	`+ finish_encoding(compression_encoding, buf)`
`123`	`123`	`}`
`124`	`124`
`125`		`-fn finish_encoding(compression_encoding: Option<CompressionEncoding>, buf: &mut BytesMut) -> Bytes {`
	`125`	`+fn finish_encoding(`
	`126`	`+ compression_encoding: Option<CompressionEncoding>,`
	`127`	`+ buf: &mut BytesMut,`
	`128`	`+) -> Result<Bytes, Status> {`
`126`	`129`	`let len = buf.len() - HEADER_SIZE;`
`127`		`- assert!(len <= std::u32::MAX as usize);`
	`130`	`+ if len > std::u32::MAX as usize {`
	`131`	`+ return Err(Status::resource_exhausted(format!(`
	`132`	`+ "Cannot return body with more than 4GB of data but got {len} bytes"`
	`133`	`+ )));`
	`134`	`+ }`
`128`	`135`	`{`
`129`	`136`	`let mut buf = &mut buf[..HEADER_SIZE];`
`130`	`137`	`buf.put_u8(compression_encoding.is_some() as u8);`
`131`	`138`	`buf.put_u32(len as u32);`
`132`	`139`	`}`
`133`	`140`
`134`		`- buf.split_to(len + HEADER_SIZE).freeze()`
	`141`	`+ Ok(buf.split_to(len + HEADER_SIZE).freeze())`
`135`	`142`	`}`
`136`	`143`
`137`	`144`	`#[derive(Debug)]`