Buffer overflow warning

[davidchall]

Hello - I'm using AsioHeaders in the ipaddress package, so thank you for providing this resource!

CRAN noticed a compilation warning about a buffer overflow:

/data/gannet/ripley/R/test-4.0/AsioHeaders/include/asio/detail/impl/socket_ops.ipp:2125:29: warning: '%lu' directive writing between 1 and 20 bytes into a region of size 16 [-Wformat-overflow=]
2125 |       sprintf(if_name + 1, "%lu", scope_id);
     |                             ^~~

After a bit of investigation, I found this was fixed by boostorg/asio@dd3a28c. This was released in Boost 1.69 / Asio 1.12.2. You can see it mentioned in their Revision History:

• Fixed a buffer overflow that could occur when parsing an address string with a 64-bit scope id.

The AsioHeaders package currently bundles Asio 1.12.1. So we could either bump to the required patch (1.12.2), or we could update to the latest release (1.16.0).

@eddelbuettel - which option do you think is best? (considering the other packages depending on AsioHeaders)

[eddelbuettel]

Thanks for the heads-up. I will look into updating Asioheaders to 1.22.2.

I believe I checked not so long ago and had not noticed a new version then.

[davidchall]

Thanks!

In case it helps, you catch match up Asio versions to Boost versions here and then find release dates here. So Asio 1.12.2 was released on 2018-12-18 and Asio 1.16.0 was released on 2019-12-11.

[eddelbuettel]

I usually go to the source at https://think-async.com/Asio/index.html

It states the same for 1.12.2; it does not mention 1.16.0. Sure that's no typo?

And so far I stuck with releases rather tha dev versions.

[davidchall]

Oh wow - that’s interesting!! Perhaps that website is outdated?

Certainly Asio has been updated in each release of Boost recently, and those can’t be considered dev versions. And the Asio GitHub repo has tags for each Boost release.

[eddelbuettel]

I am not sure. AFAICR Asio in Boost requires linking, hence the interest in AsioHeaders which I got from the other repo. Maybe it requires backporting?

[davidchall]

That's really strange. Back porting shouldn't be necessary, because here it says:

All development is done in the Asio repository on GitHub. The source is periodically converted into Boost format using a script called boostify.pl, and the changes merged into the Boost GitHub repository.

It sounds like the Boost.Asio code has been tagged when the Asio code hasn't. Looks like this has caused others confusion too (here and here).

At least we can still update AsioHeaders to version 1.12.2 though.

[eddelbuettel]

Yes, I just did the upgrade to 1.12.2 which was simple enough (so far only locally, haven't pushed yet). If you can reproduce the UBSAN issue locally I can provide you the tarball, otherwise I may just upload this tomorrow or later this week. There are only three CRAN packages depending on AsioHeaders to reverse dependency checks should be quick.

@chriskohlhoff Can you advise as to whether 1.12.2 is the current version, or whether (as @davidchall noticed here) there is slight gap or delay to Boost which seems to report 1.16.

[davidchall]

Unfortunately I'm unable to reproduce the issue locally. The warning appeared in the CRAN checks log.

Thanks for the quick response!

[eddelbuettel]

Ok, wrapped it up as a package this morning, shipped it and it is now on CRAN. I hope that helps with your one identified issue. Please circle back if it doesn't.

Otherwise I have no deeper insight into whether there is or isn't a newer Asio headers set when compared to Boost proper. @chriskohlhoff your comments would still be appreciated greatly.

[davidchall]

Thanks!! Everything's looking good, but I'll let you know if something crops up.