Heap-buffer-overflow detected by ASan in WorkerManager::handleRpc

Description

The error is detected when running unit test ServiceTest.sendReply. The heap-buffer-overflow happens at

where 'level' is obtained from

In this case, level is 255 because that is the NO_LEVEL constant associated with invalid/mock rpc. Earlier in the WorkerManager::handleRpc function, there is a check for illegal rpc opcode. However, this check only checks if opcode is greater than or equal to the upper bound 'WireFormat::ILLEGAL_RPC_TYPE' and doesn't check the lower bound. The smallest opcode is PING = 7. In the sendReply test, it uses a mock rpc with opcode smaller than 6. Thus, it gets through the check and causes the overflow.

Environment

None

Assignee

John Ousterhout

Reporter

Yilong Li

Labels

None

Priority

Medium
Configure