Zero hdrtoken heap to fix use-of-uninitialized-value (#13172)

shukitchan · claude · web-flow · commit e57901caa14d · 2026-05-18T15:06:44.000-07:00
The hdrtoken heap allocated in hdrtoken_init() leaves padding bytes
between each token's null terminator and the next prefix slot
uninitialized, since ink_strlcpy only writes strlen+1 bytes but
heap_ptr advances by sstr_len (rounded up to sizeof(HdrTokenHeapPrefix)).
Switch to ats_calloc so the padding bytes are zeroed.

Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/proxy/hdrs/HdrToken.cc b/src/proxy/hdrs/HdrToken.cc
@@ -407,7 +407,7 @@ hdrtoken_init()
       heap_size                 += packed_prefix_str_len;
     }
 
-    _hdrtoken_strs_heap_f = static_cast<const char *>(ats_malloc(heap_size));
+    _hdrtoken_strs_heap_f = static_cast<const char *>(ats_calloc(1, heap_size));
     _hdrtoken_strs_heap_l = _hdrtoken_strs_heap_f + heap_size - 1;
 
     char *heap_ptr = const_cast<char *>(_hdrtoken_strs_heap_f);

Original file line number	Diff line number	Diff line change
`@@ -407,7 +407,7 @@ hdrtoken_init()`
`407`	`407`	`heap_size += packed_prefix_str_len;`
`408`	`408`	`}`
`409`	`409`
`410`		`- _hdrtoken_strs_heap_f = static_cast<const char *>(ats_malloc(heap_size));`
	`410`	`+ _hdrtoken_strs_heap_f = static_cast<const char *>(ats_calloc(1, heap_size));`
`411`	`411`	`_hdrtoken_strs_heap_l = _hdrtoken_strs_heap_f + heap_size - 1;`
`412`	`412`
`413`	`413`	`char heap_ptr = const_cast<char >(_hdrtoken_strs_heap_f);`