Bug #3502
closed
Potential integer overflow in RibManager::listEntries()
Added by Davide Pesavento almost 9 years ago.
Updated over 7 years ago.
Description
A potential integer overflow exists in RibManager::listEntries
and Route
's stream output operator.
The following line triggers an UBSan error:
boost::lexical_cast<std::string>(rib::Route{});
- Assignee set to Vince Lehman
This is assigned to @Vince who authored this test suite in nfd:commit:cd16c83f3592aab7898a3504bcc38430828493e7.
In normal operations, a route is deleted by a timer upon its expiration.
However, this does not guarantee route.expires >= now()
, because:
- Timer callback can be delayed.
- Time elapses during dataset generation; even if
now()
is called at the top of dataset generation, a route can expire between the Interest is received by RIB's face and this call.
Therefore, the dataset generate routine should check each route, and only include unexpired routes in the dataset.
- Assignee deleted (
Vince Lehman)
- Target version changed from v0.5 to v0.6
RibManager::listEntries
has been re-implemented with the dispatcher. Is this issue still relevant? If so, a new UBSan log should be posted.
- Status changed from New to Rejected
The function RibStatusPublisher::generate()
no longer exists, so I'm rejecting this issue.
If the same problem still exists, please reopen with updated title and UBSan log.
- Subject changed from Potential integer overflow in RibStatusPublisher::generate() to Potential integer overflow in RibManager::listEntries()
The buggy code is still there, both in RibManager::listEntries
and in Route
's stream output operator.
No test case currently triggers the undefined behavior (signed overflow), but that's only because of lack of test coverage. For example, the following line triggers an UBSan error, as expected:
boost::lexical_cast<std::string>(rib::Route{});
I wonder what was the rationale for initializing Route::expires
to TimePoint::min()
?
- Status changed from Rejected to New
- Status changed from New to In Progress
- Assignee set to Junxiao Shi
- Status changed from In Progress to Code review
- % Done changed from 0 to 100
- Description updated (diff)
- Status changed from Code review to Closed
Also available in: Atom
PDF