From 18da76ec68e133549731f02de2078e70e6010fe4 Mon Sep 17 00:00:00 2001 From: zb0 Date: Thu, 9 Sep 2021 16:31:52 +0800 Subject: [PATCH] fix the possible interger overflow problem when decode handshake msg --- .../packet/ompk_handshake_response.cpp | 47 +++++++++++-------- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/deps/oblib/src/rpc/obmysql/packet/ompk_handshake_response.cpp b/deps/oblib/src/rpc/obmysql/packet/ompk_handshake_response.cpp index ef51ebc57..69418fbe0 100644 --- a/deps/oblib/src/rpc/obmysql/packet/ompk_handshake_response.cpp +++ b/deps/oblib/src/rpc/obmysql/packet/ompk_handshake_response.cpp @@ -121,36 +121,45 @@ int OMPKHandshakeResponse::decode() uint64_t key_len = 0; ret = ObMySQLUtil::get_length(pos, key_len, key_inc_len); // OB_ASSERT(OB_SUCC(ret) && all_attrs_len > key_inc_len); - if (OB_SUCC(ret) && all_attrs_len > key_inc_len) { + if (OB_SUCC(ret) && all_attrs_len > key_inc_len && pos < end) { all_attrs_len -= key_inc_len; str_kv.key_.assign_ptr(pos, static_cast(key_len)); // OB_ASSERT(all_attrs_len > key_len); if (all_attrs_len > key_len) { all_attrs_len -= key_len; - pos += key_len; - - // get value - uint64_t value_inc_len = 0; - uint64_t value_len = 0; - ret = ObMySQLUtil::get_length(pos, value_len, value_inc_len); - // OB_ASSERT(OB_SUCC(ret) && all_attrs_len > value_inc_len); - if (OB_SUCC(ret) && all_attrs_len > value_inc_len) { - all_attrs_len -= value_inc_len; - str_kv.value_.assign_ptr(pos, static_cast(value_len)); - // OB_ASSERT(all_attrs_len >= value_len); - if (all_attrs_len >= value_len) { - all_attrs_len -= value_len; - pos += value_len; - if (OB_FAIL(connect_attrs_.push_back(str_kv))) { - LOG_WARN("fail to push back str_kv", K(str_kv), K(ret)); + if (end - pos > key_len) { + pos += key_len; + // get value + uint64_t value_inc_len = 0; + uint64_t value_len = 0; + ret = ObMySQLUtil::get_length(pos, value_len, value_inc_len); + // OB_ASSERT(OB_SUCC(ret) && all_attrs_len > value_inc_len); + if (OB_SUCC(ret) && all_attrs_len > value_inc_len && pos < end) { + all_attrs_len -= value_inc_len; + str_kv.value_.assign_ptr(pos, static_cast(value_len)); + // OB_ASSERT(all_attrs_len >= value_len); + if (all_attrs_len >= value_len) { + all_attrs_len -= value_len; + if (end - pos >= value_len) { + pos += value_len; + if (OB_FAIL(connect_attrs_.push_back(str_kv))) { + LOG_WARN("fail to push back str_kv", K(str_kv), K(ret)); + } + } else { + ret = OB_INVALID_ARGUMENT; + LOG_ERROR("invalid packet", K(ret), K(all_attrs_len), K(value_len), K((end - pos))); + } + } else { + ret = OB_INVALID_ARGUMENT; + LOG_ERROR("invalid packet", K(ret), K(all_attrs_len), K(value_len)); } } else { ret = OB_INVALID_ARGUMENT; - LOG_ERROR("invalid packet", K(ret), K(all_attrs_len), K(value_len)); + LOG_ERROR("invalid packet", K(ret), K(all_attrs_len), K(value_inc_len)); } } else { ret = OB_INVALID_ARGUMENT; - LOG_ERROR("invalid packet", K(ret), K(all_attrs_len), K(value_inc_len)); + LOG_ERROR("invalid packet", K(ret), K(all_attrs_len), K(key_len), K((end - pos))); } } else { ret = OB_INVALID_ARGUMENT;