[atlesn] Fix misc. usage of uninitialized memory (#180)

[atlesn] Fix misc. usage of uninitialized memory
cowsql · Mar 23, 2024 · 421cffc · 421cffc
2 parents bee6c36 + e99dde7
commit 421cffc
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 11 deletions.
diff --git a/src/configuration.c b/src/configuration.c
@@ -282,9 +282,12 @@ size_t configurationEncodedSize(const struct raft_configuration *c)
     return bytePad64(n);
 }
 
-void configurationEncodeToBuf(const struct raft_configuration *c, void *buf)
+void configurationEncodeToBuf(const struct raft_configuration *c,
+                              void *buf,
+                              size_t buf_len)
 {
     uint8_t *cursor = buf;
+    uint8_t *end = cursor + buf_len;
     unsigned i;
 
     /* Encoding format version */
@@ -301,6 +304,10 @@ void configurationEncodeToBuf(const struct raft_configuration *c, void *buf)
         assert(server->role < 255);
         bytePut8(&cursor, (uint8_t)server->role);
     };
+
+    assert(cursor <= end);
+
+    memset(cursor, 0, (size_t) (end - cursor));
 }
 
 int configurationEncode(const struct raft_configuration *c,
@@ -321,7 +328,7 @@ int configurationEncode(const struct raft_configuration *c,
         goto err;
     }
 
-    configurationEncodeToBuf(c, buf->base);
+    configurationEncodeToBuf(c, buf->base, buf->len);
 
     return 0;
 

diff --git a/src/configuration.h b/src/configuration.h
@@ -96,8 +96,10 @@ int configurationCopy(const struct raft_configuration *src,
 size_t configurationEncodedSize(const struct raft_configuration *c);
 
 /* Encode the given configuration object to the given pre-allocated buffer,
- * which is assumed to be at least configurationEncodedSize(c) bytes. */
-void configurationEncodeToBuf(const struct raft_configuration *c, void *buf);
+ * which must be at least configurationEncodedSize(c) bytes. */
+void configurationEncodeToBuf(const struct raft_configuration *c,
+                              void *buf,
+                              size_t buf_len);
 
 /* Encode the given configuration object. The memory of the returned buffer is
  * allocated using raft_malloc(), and client code is responsible for releasing

diff --git a/src/convert.c b/src/convert.c
@@ -228,6 +228,8 @@ int convertToLeader(struct raft *r)
             goto err;
         }
 
+	*(uint64_t *) r->barrier.buf.base = 0;
+
         r->barrier.batch = r->barrier.buf.base;
 
         rv = ClientSubmit(r, &r->barrier, 1);

diff --git a/src/uv_encoding.c b/src/uv_encoding.c
@@ -180,7 +180,7 @@ static void encodeInstallSnapshot(const struct raft_install_snapshot *p,
     bytePut64(&cursor, p->conf_index); /* Configuration's index */
     bytePut64(&cursor, conf_size);     /* Length of configuration */
 
-    configurationEncodeToBuf(&p->conf, cursor); /* Configuration data */
+    configurationEncodeToBuf(&p->conf, cursor, conf_size); /* Configuration data */
     cursor = (uint8_t *)cursor + conf_size;
 
     bytePut64(&cursor, p->data.len); /* Length of snapshot data */
@@ -337,7 +337,10 @@ void uvEncodeBatchHeader(const struct raft_entry *entries,
         /* Message type (Either RAFT_COMMAND or RAFT_CHANGE) */
         bytePut8(&cursor, (uint8_t)entry->type);
 
-        cursor = (uint8_t *)cursor + 3; /* Unused */
+        /* Unused */
+        bytePut8(&cursor, 0);
+        bytePut8(&cursor, 0);
+        bytePut8(&cursor, 0);
 
         /* Size of the log entry data, little endian. */
         bytePut32(&cursor, (uint32_t)entry->buf.len);

diff --git a/src/uv_tcp_connect.c b/src/uv_tcp_connect.c
@@ -52,20 +52,23 @@ struct uvTcpConnect
 static int uvTcpEncodeHandshake(raft_id id, const char *address, uv_buf_t *buf)
 {
     uint8_t *cursor;
-    size_t address_len = bytePad64(strlen(address) + 1);
+    size_t address_len = strlen(address) + 1;
+    size_t address_len_padded = bytePad64(address_len);
     buf->len = sizeof(uint64_t) + /* Protocol version. */
                sizeof(uint64_t) + /* Server ID. */
-               sizeof(uint64_t) /* Size of the address buffer */;
-    buf->len += address_len;
+               sizeof(uint64_t) + /* Size of the address buffer */
+               address_len_padded;
     buf->base = RaftHeapMalloc(buf->len);
     if (buf->base == NULL) {
         return RAFT_NOMEM;
     }
     cursor = (uint8_t *)buf->base;
     bytePut64(&cursor, UV__TCP_HANDSHAKE_PROTOCOL);
     bytePut64(&cursor, id);
-    bytePut64(&cursor, address_len);
-    strcpy((char *)cursor, address);
+    bytePut64(&cursor, address_len_padded);
+    memcpy(cursor, address, address_len);
+    cursor += address_len;
+    memset(cursor, 0, address_len_padded - address_len);
     return 0;
 }