Project

General

Profile

Actions

Bug #3502

closed

Potential integer overflow in RibManager::listEntries()

Added by Davide Pesavento almost 9 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
RIB
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:

Description

A potential integer overflow exists in RibManager::listEntries and Route's stream output operator.
The following line triggers an UBSan error:

boost::lexical_cast<std::string>(rib::Route{});
Actions #1

Updated by Junxiao Shi almost 9 years ago

  • Assignee set to Vince Lehman

This is assigned to @Vince who authored this test suite in nfd:commit:cd16c83f3592aab7898a3504bcc38430828493e7.

In normal operations, a route is deleted by a timer upon its expiration.
However, this does not guarantee route.expires >= now(), because:

  • Timer callback can be delayed.
  • Time elapses during dataset generation; even if now() is called at the top of dataset generation, a route can expire between the Interest is received by RIB's face and this call.

Therefore, the dataset generate routine should check each route, and only include unexpired routes in the dataset.

Actions #2

Updated by Vince Lehman over 8 years ago

  • Assignee deleted (Vince Lehman)
Actions #3

Updated by Junxiao Shi about 8 years ago

  • Target version changed from v0.5 to v0.6

RibManager::listEntries has been re-implemented with the dispatcher. Is this issue still relevant? If so, a new UBSan log should be posted.

Actions #4

Updated by Junxiao Shi over 7 years ago

  • Status changed from New to Rejected

The function RibStatusPublisher::generate() no longer exists, so I'm rejecting this issue.
If the same problem still exists, please reopen with updated title and UBSan log.

Actions #5

Updated by Davide Pesavento over 7 years ago

  • Subject changed from Potential integer overflow in RibStatusPublisher::generate() to Potential integer overflow in RibManager::listEntries()

The buggy code is still there, both in RibManager::listEntries and in Route's stream output operator.

No test case currently triggers the undefined behavior (signed overflow), but that's only because of lack of test coverage. For example, the following line triggers an UBSan error, as expected:

boost::lexical_cast<std::string>(rib::Route{});

I wonder what was the rationale for initializing Route::expires to TimePoint::min()?

Actions #6

Updated by Junxiao Shi over 7 years ago

  • Status changed from Rejected to New
Actions #7

Updated by Junxiao Shi over 7 years ago

  • Status changed from New to In Progress
  • Assignee set to Junxiao Shi
Actions #8

Updated by Junxiao Shi over 7 years ago

  • Status changed from In Progress to Code review
  • % Done changed from 0 to 100
Actions #9

Updated by Junxiao Shi over 7 years ago

  • Description updated (diff)
Actions #10

Updated by Junxiao Shi over 7 years ago

  • Status changed from Code review to Closed
Actions

Also available in: Atom PDF