Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Buffer overrun in MessageQueue_AllocMessage #108

Open
shooshx opened this issue Nov 23, 2016 · 4 comments
Open

BUG: Buffer overrun in MessageQueue_AllocMessage #108

shooshx opened this issue Nov 23, 2016 · 4 comments
Labels
help wanted

Comments

@shooshx
Copy link

shooshx commented Nov 23, 2016

The internal message queueing mechanism doesn't seem to handle correctly the case where a message is allocated across the ending of the cyclic buffer.
This bug has the potential to crash the process with a segmentation fault.

code to reproduces the problem:

int main(int argc, const char * argv[])
{
    rmtError error;
    MessageQueue* queue = NULL;
    auto messageQueueSizeInBytes = 1024 * 64;
    New_1(MessageQueue, queue, messageQueueSizeInBytes);


    const char* t = "Hello1234567890123";
    int tsz = strlen(t);
    int written = 0;

    for(int i = 0; i < 100000; ++i)
    {
        bool threshCross = written + MessageQueue_SizeForPayload(tsz) > messageQueueSizeInBytes;
        if (threshCross)
        {
            Message* outmsg = MessageQueue_PeekNextMessage(queue);
            MessageQueue_ConsumeNextMessage(queue, outmsg);
            printf("Reading 1\n");
        }
        Message* message = MessageQueue_AllocMessage(queue, tsz, NULL);
        if (message == NULL)
            break;

        if (threshCross) {
            printf("Got %p inside buffer %p  which is  %d  bytes from the end with payload size %d\n",
                    (void*)message->payload, (void*)queue->data->ptr, ((char*)queue->data->ptr + queue->size - (char*)message->payload), tsz);
            break;
        }

        // Copy the text and commit the message
        memcpy(message->payload, t, tsz);
        MessageQueue_CommitMessage(message, MsgID_LogText);
        written += MessageQueue_SizeForPayload(tsz);
    }

    return 0;
}

prints:

Got 0x108d3cffc inside buffer 0x108d2d000  which is  4  bytes from the end with payload size 18
@shooshx
Copy link
Author

shooshx commented Dec 18, 2016

no replay for almost a month... so this project is basically dead?

@vinjn
Copy link

vinjn commented Dec 18, 2016
edited

Dude, this is the world of open-source project.
The author could be busy with other projects / making money / having xmas holiday.

@dwilliamson
Copy link
Collaborator

@shooshx PRs are more than welcome.

@shooshx
Copy link
Author

shooshx commented Dec 19, 2016
edited

@dwilliamson I've came across this issue when I copied your code as a starting point for a lockless queue for my own purpose. In my code, solving this required some significant changes to the structures involved and the way the queue works. I'm not sure I know enough about the intricacies of your code base yet to do it properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vinjn @shooshx @dwilliamson