Skip to content

TS-4313: Fix improper type conversion #542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
maskit wants to merge 1 commit into from
Closed

TS-4313: Fix improper type conversion #542

maskit wants to merge 1 commit into from

Conversation

@maskit
Copy link
Member

@maskit maskit commented Mar 30, 2016

@zwoop
Copy link
Contributor

zwoop commented Mar 30, 2016

Nice catch! +1. I think we should mark this as a possibly back port to 6.1.2 as well.

Do you know if this bug is in 5.3.x as well? If so, it likely should go there as well.

jpeach
jpeach reviewed Mar 30, 2016
View reviewed changes
proxy/hdrs/MIME.cc Outdated
{
int slot_id, slot_num;
int slot_id;
intptr_t slot_num;
Copy link
Contributor

@jpeach jpeach Mar 30, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem to be needed?

@jpeach
Copy link
Contributor

jpeach commented Mar 30, 2016

ptrdiff_t is the right type for pointer arithmetic.

That said, I don't really understand the problem here. If field is not in the MIMEFieldBlockImpl you are scanning, then the pointer arithmetic is not valid in the first place. For the pointer arithmetic to overflow 32bits, the distance between the pointers would need to be 2^32 * sizeof(MIMEFieldBlockImpl), which seems unlikely.

A potential real problem here could be the compiler assuming that the comparison can't happen, since pointer arithmetic across different objects is not standards compliant, see here. To address this, I'd add MIMEFieldBlockImpl::contains(MIMEField*),

int
mime_hdr_field_slotnum(MIMEHdrImpl *mh, MIMEField *field)
{
  int slots_so_far;
  MIMEFieldBlockImpl *fblock;

  slots_so_far = 0;
  for (fblock = &(mh->m_first_fblock); fblock != NULL; fblock = fblock->m_next) {
    if (block->contains(field)) {
        MIMEField *first = &(fblock->m_field_slots[0]);
        ptrdiff_t block_slot = field - first; // in units of MIMEField
        return (slots_so_far + block_slot);
    }

    slots_so_far += MIME_FIELD_BLOCK_SLOTS;
  }
  return -1;
}

Can you think of a way to write tests for this?

@maskit
Copy link
Member Author

maskit commented Mar 31, 2016

@jpeach
I added some codes for debug and got these output. The rare case is happening.
(I built with --enable-debug and ASAN using clang on OSX.)

Output:

mime_hdr_set_accelerators_and_presence_bits(hdr 0x61d0001ab908, field 0x6250001aba98): &(mh->m_first_fblock.m_field_slots[0]) = 0x61d0001ab958
(int)(field - &(mh->m_first_fblock.m_field_slots[0])) = 0xA
(long)(field - &(mh->m_first_fblock.m_field_slots[0])) = 0x40000000A
(ptrdiff_t)(field - &(mh->m_first_fblock.m_field_slots[0])) = 0x40000000A
mime_hdr_field_slotnum(hdr 0x61d0001ab908, field 0x6250001ab998): first = 0x61d0001ab958
(int)(field - first) = 0x2
(long)(field - first) = 0x400000002
(ptrdiff_t)(field - first) = 0x400000002

Debug code1:

if ((int)(field - &(mh->m_first_fblock.m_field_slots[0])) >= 0 && (int)(field - &(mh->m_first_fblock.m_field_slots[0])) < MIME_FIELD_SLOTNUM_UNKNOWN && slot_num > UINT_MAX) {
  fprintf(stderr, "mime_hdr_set_accelerators_and_presence_bits(hdr %p, field %p): &(mh->m_first_fblock.m_field_slots[0]) = %p\n", mh, field, &(mh->m_first_fblock.m_field_slots[0]));
  fprintf(stderr, "(int)(field - &(mh->m_first_fblock.m_field_slots[0])) = 0x%X\n", (int)(field - &(mh->m_first_fblock.m_field_slots[0])));
  fprintf(stderr, "(long)(field - &(mh->m_first_fblock.m_field_slots[0])) = 0x%lX\n", (long)(field - &(mh->m_first_fblock.m_field_slots[0])));
  fprintf(stderr, "(ptrdiff_t)(field - &(mh->m_first_fblock.m_field_slots[0])) = 0x%tX\n", (ptrdiff_t)(field - &(mh->m_first_fblock.m_field_slots[0])));
}

Debug code2:

if ((int)(field - first) >= 0 && (int)(field - first) < MIME_FIELD_BLOCK_SLOTS && block_slot > UINT_MAX) {
  fprintf(stderr, "mime_hdr_field_slotnum(hdr %p, field %p): first = %p\n", mh, field, first);
  fprintf(stderr, "(int)(field - first) = 0x%X\n", (int)(field - first));
  fprintf(stderr, "(long)(field - first) = 0x%lX\n", (long)(field - first));
  fprintf(stderr, "(ptrdiff_t)(field - first) = 0x%tX\n", (ptrdiff_t)(field - first));
}

However the problem doesn't seems to be caused by the optimization, adding MIMEFieldBlockImpl::contains(MIMEField*) is a good idea. It's readable and reusable. I'll add it.

As for the tests, I had no idea. I came across the bug while I was testing HPACK, which just uses a MIMEHdr heavily. It may be possible to write tests for MIMEFieldBlockImpl::contains(MIMEField*). The test would be:

  1. Create a mime field
  2. Add 2^32 to the pointer of the mime field
  3. Pass the modified pointer to contains()
  4. Check if the result is false

@zwoop
The type conversions are in the initial commit on the git repo, so I think all versions should affect.

@jpeach
Copy link
Contributor

jpeach commented Mar 31, 2016

Oh interesting. It looks like the pointers are ~500GB apart, so that certainly confirms the problem you found! I wonder if that is specific to the ASAN virtual address space?

Anyway, it sounds like we agree on adding MIMEFieldBlockImpl::contains(MIMEField*) ... sounds great :)

@maskit maskit force-pushed the ts4313 branch 5 times, most recently from a2c804a to ce2bd9e Compare April 1, 2016 15:20
@maskit
Copy link
Member Author

maskit commented Apr 1, 2016

I've added contains() and tests for this.
@jpeach Can you review them?

jpeach
jpeach reviewed Apr 1, 2016
View reviewed changes
proxy/hdrs/MIME.cc Outdated
}

bool
MIMEFieldBlockImpl::contains(MIMEField *field)
Copy link
Contributor

@jpeach jpeach Apr 1, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

const MIMEField *field

@maskit maskit force-pushed the ts4313 branch 4 times, most recently from a4cfc22 to 4a692b6 Compare April 2, 2016 14:44
@maskit
TS-4313: Fix a bug in MIME caused by improper type conversion
a53b49e 
The old logic picks up a wrong block due to overflow that is caused by improper type conversion.
This fixes the type conversion and make sure that the block contains the field.
@asfgit asfgit closed this in caafcbb Apr 7, 2016
shinrich pushed a commit to shinrich/trafficserver that referenced this pull request Sep 3, 2021
@bneradt
fileName -> fileName.c_str() for logging (apache#542)
23559e3
masaori335 pushed a commit to masaori335/trafficserver that referenced this pull request Jul 24, 2023
Add OTHER to cipher TLS cipher metrics (apache#542)
74dbd97 
* Add OTHER to cipher TLS cipher metrics

* clang-format
masaori335 pushed a commit to masaori335/trafficserver that referenced this pull request Jul 24, 2023
@moonchen
Revert to April build, and fix ResourceManager reconfigure (apache#553)
e594d85 
* Revert "Gauge to Counter metrics for CDN Harmony (apache#544)"

This reverts commit 1a83589.

* Revert "[9.2.x] Improve performance of finding SNI Actions (apache#541)"

This reverts commit 21cbfc0.

* Revert "TSan: Make Thread::cur_time thread local (apache#9184) (apache#537)"

This reverts commit d93ac0e.

* Revert "Fix a crash in FetchSM (apache#546)"

This reverts commit e03b829.

* Revert "Remove dependency on OpenSSL's OCSP API (apache#538)"

This reverts commit 00ad803.

* Revert "Fix crashes on OCSP requests (apache#543)"

This reverts commit bbb41b9.

* Revert "Add OTHER to cipher TLS cipher metrics (apache#542)"

This reverts commit 74dbd97.

* Revert "rio: use bazinga-boringssl 19.x for boringssl build (apache#540)"

This reverts commit 9c57330.

* Revert "Use FetchSM for OCSP HTTP requests (apache#535)"

This reverts commit dbd0ec7.

* Do not schedule reconfigure event on schedule_imm_local

Co-authored-by: Mo Chen <mochen@apache.org>
Co-authored-by: Serris Lew <lserris@apple.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maskit @zwoop @jpeach