We're updating the issue view to help you get more done. 

Heap-buffer-overflow detected by ASan in WorkerManager::handleRpc

Description

The error is detected when running unit test ServiceTest.sendReply. The heap-buffer-overflow happens at

1 WorkerManager.cc:205 levels[level].requestsRunning++;

where 'level' is obtained from

1 WorkerManager.cc:166 int level = RpcLevel::getLevel(WireFormat::Opcode(header->opcode));

In this case, level is 255 because that is the NO_LEVEL constant associated with invalid/mock rpc. Earlier in the WorkerManager::handleRpc function, there is a check for illegal rpc opcode. However, this check only checks if opcode is greater than or equal to the upper bound 'WireFormat::ILLEGAL_RPC_TYPE' and doesn't check the lower bound. The smallest opcode is PING = 7. In the sendReply test, it uses a mock rpc with opcode smaller than 6. Thus, it gets through the check and causes the overflow.

Environment

None

Status

Assignee

John Ousterhout

Reporter

Yilong Li

Labels

None

Priority

Medium