[
https://issues.apache.org/jira/browse/KUDU-2305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joe McDonnell resolved KUDU-2305.
---------------------------------
Resolution: Fixed
Fix Version/s: 1.8.0
commit 6190e21ec315c1b2f0bad19219282a366b18ed18
Author: Joe McDonnell <[email protected]>
Date: Mon Mar 12 16:24:35 2018 -0700
KUDU-2305: Limit sidecars to INT_MAX and fortify socket code
Inspection of the code revealed some other local variables
that could overflow with large messages. This patch takes
two approaches to eliminate the issues.
First, it limits the total size of the messages by limiting
the total size of the sidecars to INT_MAX. The total size
of the protobuf and header components of the message
should be considerably smaller, so limiting the sidecars
to INT_MAX eliminates messages that are larger than UINT_MAX.
This also means that the sidecar offsets, which are unsigned
32-bit integers, are also safe. Given that
FLAGS_rpc_max_message_size is limited to INT_MAX at startup,
the receiver would reject any message this large anyway.
This also helps with the networking codepath, as any given
sidecar will have a size less than INT_MAX, so every Slice
that interacts with Writev() is shorter than INT_MAX.
Second, even with sidecars limited to INT_MAX, the headers
and protobuf parts of the messages mean that certain messages
could still exceed INT_MAX. This patch changes some of the sockets
codepath to tolerate iovec's that reference more than INT_MAX
bytes total. Specifically, it changes Writev()'s nwritten bytes
to an int64_t for both TlsSocket and Socket. TlsSocket works
because it is sending each Slice individually. The first change
limited any given Slice to INT_MAX, so each individual Write()
should not be impacted. For Socket, Writev() uses sendmsg(). It
should do partial network sends to handle this case. Any Write()
call specifies its size with a 32-bit integer, and that will
not be impacted by this patch.
Testing:
- Modified TestRpcSidecarLimits() to verify that sidecars are
limited to INT_MAX bytes.
- Added a test mode to TestRpcSidecarLimits() where it
overrides rpc_max_message_size and sends the maximal
message. This verifies that the client send codepath
can handle the maximal message.
Change-Id: I2d041e214b15d9c22b810588643798e2b3bc5c24
> Local variables can overflow when serializing a 2GB message
> -----------------------------------------------------------
>
> Key: KUDU-2305
> URL: https://issues.apache.org/jira/browse/KUDU-2305
> Project: Kudu
> Issue Type: Bug
> Components: rpc
> Affects Versions: 1.6.0
> Reporter: Joe McDonnell
> Assignee: Joe McDonnell
> Priority: Major
> Fix For: 1.8.0
>
>
> When rpc_max_message_size is set to its maximum of INT_MAX (2147483647),
> certain local variables in SerializeMessage can overflow as messages approach
> this size. Specifically, recorded_size, size_with_delim, and total_size are 4
> byte signed integers and could overflow when additional_size becomes large.
> Since INT_MAX is the largest allowable value for rpc_max_message_size (a 4
> byte signed integer), these variables will not overflow if changed to 4 byte
> unsigned integers. This would eliminate the potential problem for
> serialization.
> A similar problem exists in the InboundTransfer::ReceiveBuffer() and similar
> codepaths. Changing those variables to unsigned integers should resolve the
> issue.
> This does not impact existing systems, because the default value of
> rpc_max_message_size is 50MB.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
