Heap-buffer-overflow detected by ASan in WorkerManager::handleRpc

Description

The error is detected when running unit test ServiceTest.sendReply. The heap-buffer-overflow happens at

where 'level' is obtained from

In this case, level is 255 because that is the NO_LEVEL constant associated with invalid/mock rpc. Earlier in the WorkerManager::handleRpc function, there is a check for illegal rpc opcode. However, this check only checks if opcode is greater than or equal to the upper bound 'WireFormat::ILLEGAL_RPC_TYPE' and doesn't check the lower bound. The smallest opcode is PING = 7. In the sendReply test, it uses a mock rpc with opcode smaller than 6. Thus, it gets through the check and causes the overflow.

Environment

None

Status

Assignee

John Ousterhout

Reporter

Yilong Li

Labels

None

Priority

Medium
Configure