Fix for a fuzzer-discovered integer underflow of the flow control window size #692
Conversation
| self.inner.streams.set_target_connection_window_size(size); | ||
| let _res = self.inner.streams.set_target_connection_window_size(size); | ||
| // TODO: proper error handling | ||
| debug_assert!(_res.is_ok()); |
There was a problem hiding this comment.
There are some debug left around here and in other files. Are these on purpose?
There was a problem hiding this comment.
Yes. Whenever it was obvious on how to handle a potential overflow, I did. However, many of the call sites do not have a Result return type, so it is not easy to propagate the Error. I assume that those functions should not be able not fail. I did not want to incur additional overhead in release builds, so I stuck with debug_assert! and left the TODO comment. For those TODOs someone with more experience with the code should check whether they are fine to be left as debug_assert!, whether they should be checked with assert! or whether error propagation is needed.
There was a problem hiding this comment.
FYI: I did more fuzzing runs with this patch and none of the debug_assert! are triggered, so that gives some assurance that the they are indeed not reachable. So I think we could remove the todo comments, but I would leave the debug_assert! as is.
f0rki
force-pushed
the
window-overflow-fix
branch
from
ead98f1
to
09d4849
Compare
…dow size Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with `debug_assert!`, assuming that those code paths do not over/underflow. Signed-off-by: Michael Rodler <mrodler@amazon.de> Co-Authored-By: f0rki <m@mrodler.eu> Reviewed-by: Daniele Ahmed <ahmeddan@amazon.de>
f0rki
force-pushed
the
window-overflow-fix
branch
from
09d4849
to
eb10db0
Compare
Signed-off-by: Daniele Ahmed <ahmeddan@amazon.de>
|
@f0rki is it ready for review? |
looks good to me @82marbag @seanmonstar |
…dow size (hyperium#692) Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with `debug_assert!`, assuming that those code paths do not over/underflow. Signed-off-by: Michael Rodler <mrodler@amazon.de> Signed-off-by: Daniele Ahmed <ahmeddan@amazon.de> Co-authored-by: Michael Rodler <mrodler@amazon.de> Co-authored-by: Daniele Ahmed <ahmeddan@amazon.de>
…dow size (hyperium#692) Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with `debug_assert!`, assuming that those code paths do not over/underflow. Signed-off-by: Michael Rodler <mrodler@amazon.de> Signed-off-by: Daniele Ahmed <ahmeddan@amazon.de> Co-authored-by: Michael Rodler <mrodler@amazon.de> Co-authored-by: Daniele Ahmed <ahmeddan@amazon.de>
…dow size (hyperium#692) Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with `debug_assert!`, assuming that those code paths do not over/underflow. Signed-off-by: Michael Rodler <mrodler@amazon.de> Signed-off-by: Daniele Ahmed <ahmeddan@amazon.de> Co-authored-by: Michael Rodler <mrodler@amazon.de> Co-authored-by: Daniele Ahmed <ahmeddan@amazon.de> Signed-off-by: Sven Pfennig <s.pfennig@reply.de>
Fuzzing discovered a integer underflow in the flow control handling that can be triggered by a certain sequence of frames. In release builds this would lead to wrap-around of the negative window. This seems incorrect to me. I did not find anything definitive in the http2 spec.
Removed the SubAssign, etc. syntactic sugar functions and switched to return Result on over/underflow
Whenever possible, switched to returning a library GoAway protocol error. Otherwise we check for over/underflow only with
debug_assert!, assuming that those code paths do not over/underflow. In this case I leftTODO:comments.