Hugo Mildenberger created THRIFT-1932:
-----------------------------------------
Summary: TFileTransport::readEvent() casts values read from input
stream into a pointer and derereferences it.
Key: THRIFT-1932
URL: https://issues.apache.org/jira/browse/THRIFT-1932
Project: Thrift
Issue Type: Bug
Components: C++ - Library
Affects Versions: 0.9
Environment: Hardened Gentoo amd64 Linux
Reporter: Hugo Mildenberger
The Compilation of thrift-0.9.0 ended with the following warnings:
* QA Notice: Package triggers severe warnings which indicate that it
* may exhibit random runtime failures.
* src/thrift/transport/TFileTransport.cpp:715:56: warning: dereferencing
type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
* src/thrift/transport/TFileTransport.cpp:726:84: warning: dereferencing
type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing]
When looking into src/thrift/transport/TFileTransport.cpp:715 ...
711 readState_.eventSizeBuff_[readState_.eventSizeBuffPos_++] =
712 readBuff_[readState_.bufferPtr_++];
713 if (readState_.eventSizeBuffPos_ == 4) {
714 // 0 length event indicates padding
715 if (*((uint32_t *)(readState_.eventSizeBuff_)) == 0) {
716 // T_DEBUG_L(1, "Got padding");
717 readState_.resetState(readState_.lastDispatchPtr_);
718 continue;
719 }
... it becomes obvious that the four values casted into a pointer were
previously read from the input stream by ::read() in line 661:
661 readState_.bufferLen_ = ::read(fd_, readBuff_, readBuffSize_);
Same issue here:
725 readState_.event_ = new eventInfo();
726 readState_.event_->eventSize_ =
*((uint32_t*)(readState_.eventSizeBuff_));
727
While it is a two minute job fix this problem, the method
TFileTransport::readEvent() looks so fragile that a clean rewrite appears to be
more appropriate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
