Skip to content

Harden core RPC marshalling, decode, and message parsing against corrupted data#258

Merged
linmajia merged 9 commits into
microsoft:masterfrom
linmajia:fix
Jun 27, 2026
Merged

Harden core RPC marshalling, decode, and message parsing against corrupted data#258
linmajia merged 9 commits into
microsoft:masterfrom
linmajia:fix

Conversation

@linmajia

Copy link
Copy Markdown
Contributor

Summary

Hardens the core serialization/RPC layer and network message parsers so
malformed or fault-injected data is rejected cleanly instead of asserting,
aborting, or dereferencing null. Bumps the rDSN.dist.service submodule to pick
up the matching meta/replica hardening.

Changes

  • Checked (un)marshalling (include/dsn/cpp/serialization.h,
    serialization_helper/thrift_helper.h, clientlet.h, rpc_stream.h,
    serverlet.h, src/dev/cpp/utils.cpp): marshall() throws instead of
    asserting on invalid input/format/writer failure; added try_marshall() /
    try_unmarshall(); typed client/server request/reply paths route through the
    checked wrappers. binary_reader string/blob/buffer reads reject
    negative/over-long lengths.
  • Core RPC decode (src/core/src/rpc_engine.cpp, command_manager.cpp,
    dist.uri.resolver/partition_resolver_simple.cpp): on_recv_reply decodes
    the ERR_FORWARD_TO_OTHERS forward address via try_unmarshall and delivers
    ERR_NETWORK_FAILURE on failure instead of forwarding to a garbage address;
    run_command returns false on undecodable CLI response; resolver surfaces
    config-response decode failure via client_err.
  • Thrift message parser (src/plugins/tools.common/thrift_message_parser.cpp):
    reject malformed thrift input through the parser error path instead of
    dereferencing a null parse_message() result; catch decode exceptions around
    readMessageBegin; free the temporary message_ex on all failure paths;
    replace the request-only dassert with checked rejection of non-request
    messages.
  • Fault injector (src/plugins/tools.common/fault_injector.cpp): safe
    handling of injected header/body corruption.
  • Tests (src/core/src/rpc_message.test.cpp): cover try_marshall /
    try_unmarshall null-message, invalid-format, and string round-trip paths.
  • Submodule: bump rDSN.dist.service to the hardened revision.

HX Lin added 9 commits June 25, 2026 08:17
rpc_client_matcher::on_recv_reply decodes the ERR_FORWARD_TO_OTHERS forward
address via try_unmarshall and delivers ERR_NETWORK_FAILURE to the waiting
caller on a decode failure, instead of forwarding to a garbage address.

command_manager::run_command returns false when a remote CLI response cannot
be decoded, and partition_resolver_simple surfaces a config-response decode
failure through client_err rather than throwing past the resolve callback.

Update rDSN.dist.service submodule pointer to pick up the meta/replica RPC
request-handler hardening.
Cover try_marshall and try_unmarshall success and failure paths with focused
rpc_message tests. The tests verify null-message handling, invalid format
handling, and a successful string round-trip through a receive-mode message
copy.

Update rDSN.dist.service submodule to allow DSF_INVALID for opaque mutation-log
records while still rejecting out-of-range serialization values.
@linmajia linmajia merged commit 45dcaac into microsoft:master Jun 27, 2026
2 checks passed
@linmajia linmajia deleted the fix branch June 27, 2026 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant