httpc: fix signed integer overflow #8464
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
You have successfully added a new CodeQL configuration |
Totktonada
added a commit
to tarantool/smtp
that referenced
this pull request
Mar 18, 2023
A cast of the value above 2^63-1 to `int64_t` has implementation defined behavior, see n1256, 6.3.1.3.3. `lua_pushinteger()` accepts `int64_t`, so passing `uint64_t` value may lead to pushing negative (or other incorrect) value. Let's use Tarantool specific `luaL_pushuint64()` function instead. This is mostly just to make things in the right way: it is unlikely to see such large values in the statistics in practice. See all the details in [1]. [1]: tarantool/tarantool#8464
Buristan
approved these changes
Mar 18, 2023
The `lua_add_key_u64()` function pushes an `uint64_t` value using `lua_pushinteger()`, which accepts `int64_t` argument. A value >= 2^63 will be interpreted as a negative value on all architectures we're supporting. However, technically it is implementation defined behavior (see n1256, 6.3.1.3.3). It is not a problem, in fact, because the function is used only to report `http_client:stat()` statistics and because values beyond 2^63-1 are unreachable in practice. OTOH, it is easy to eliminate the undefined behavior by replacing `lua_pushinteger()` with our own helper function, which accepts `uint64_t`: `luaL_pushuint64()`. The values above 10^14 - 1 are now pushed as `cdata<uint64_t>`. Lower values are pushed as `number` just like before the commit. Reported-in: tarantool/security#103 NO_DOC=The type of values in the statistics is not specified explicitly in the documentation (not obligated to be `number`) and it is quite common for Tarantool to return a value of `cdata<int64_t>` or `cdata<uint64_t>` type for an integer with a large absolute value. NO_CHANGELOG=see NO_DOC NO_TEST=It is hard to reach so large values externally (send 2^63 requests) and it doesn't look worthful to introduce an error injection/a internal API to test it. `luaL_pushuint64()` is covered by the module API test.
Totktonada
force-pushed
the
httpc-fix-signed-integer-overflow
branch
from
5d57ad0 to
312ad3a
Compare
Fixed the typo. |
Totktonada
added a commit
to tarantool/smtp
that referenced
this pull request
Mar 20, 2023
A cast of the value above 2^63-1 to `int64_t` has implementation defined behavior, see n1256, 6.3.1.3.3. `lua_pushinteger()` accepts `int64_t`, so passing `uint64_t` value may lead to pushing negative (or other incorrect) value. Let's use Tarantool specific `luaL_pushuint64()` function instead. This is mostly just to make things in the right way: it is unlikely to see such large values in the statistics in practice. See all the details in [1]. [1]: tarantool/tarantool#8464
|
Pushed to Not pushed to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
lua_add_key_u64()function pushes anuint64_tvalue usinglua_pushinteger(), which acceptsint64_targument. A value >= 2^63 will be interpreted as a negative value on all architectures we're supporting. However, technically it is implementation defined behavior (see n1256, 6.3.1.3.3).It is not a problem, in fact, because the function is used only to report
http_client:stat()statistics and because values beyond 2^63-1 are unreachable in practice.OTOH, it is easy to eliminate the undefined behavior by replacing
lua_pushinteger()with our own helper function, which acceptsuint64_t:luaL_pushuint64().The values above 10^14 - 1 are now pushed as
cdata<uint64_t>. Lower values are pushed asnumberjust like before the commit.Reported-in: https://github.com/tarantool/security/issues/103