Bug #3502
closedPotential integer overflow in RibManager::listEntries()
100%
Description
A potential integer overflow exists in RibManager::listEntries
and Route
's stream output operator.
The following line triggers an UBSan error:
boost::lexical_cast<std::string>(rib::Route{});
Updated by Junxiao Shi almost 9 years ago
- Assignee set to Vince Lehman
This is assigned to @Vince who authored this test suite in nfd:commit:cd16c83f3592aab7898a3504bcc38430828493e7.
In normal operations, a route is deleted by a timer upon its expiration.
However, this does not guarantee route.expires >= now()
, because:
- Timer callback can be delayed.
- Time elapses during dataset generation; even if
now()
is called at the top of dataset generation, a route can expire between the Interest is received by RIB's face and this call.
Therefore, the dataset generate routine should check each route, and only include unexpired routes in the dataset.
Updated by Junxiao Shi about 8 years ago
- Target version changed from v0.5 to v0.6
RibManager::listEntries
has been re-implemented with the dispatcher. Is this issue still relevant? If so, a new UBSan log should be posted.
Updated by Junxiao Shi over 7 years ago
- Status changed from New to Rejected
The function RibStatusPublisher::generate()
no longer exists, so I'm rejecting this issue.
If the same problem still exists, please reopen with updated title and UBSan log.
Updated by Davide Pesavento over 7 years ago
- Subject changed from Potential integer overflow in RibStatusPublisher::generate() to Potential integer overflow in RibManager::listEntries()
The buggy code is still there, both in RibManager::listEntries
and in Route
's stream output operator.
No test case currently triggers the undefined behavior (signed overflow), but that's only because of lack of test coverage. For example, the following line triggers an UBSan error, as expected:
boost::lexical_cast<std::string>(rib::Route{});
I wonder what was the rationale for initializing Route::expires
to TimePoint::min()
?
Updated by Junxiao Shi over 7 years ago
- Status changed from New to In Progress
- Assignee set to Junxiao Shi
Updated by Junxiao Shi over 7 years ago
- Status changed from In Progress to Code review
- % Done changed from 0 to 100
Updated by Junxiao Shi over 7 years ago
- Status changed from Code review to Closed