Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ames: account for variable-size num fragments #561

Merged
merged 1 commit into from
Dec 4, 2023
Merged

ames: account for variable-size num fragments #561

merged 1 commit into from
Dec 4, 2023

Conversation

yosoyubik
Copy link
Contributor

Currently we assume that the number of fragments in a meow has a fixed size of 4 bytes (which is also how we deserialize meows in in lull.hoon; see +sift-meow), but in some cases we will retrieve from the cache a meow that has less than 4 bytes, which means that we will go over the actual length of the meow when calculating the size of the response to be sent.

(To reproduce the problem, this pdf will cause the publisher to crash on the last fragment if anybody requests it using remote scry)

This PR fixes this by checking how many bytes are actually used in a word, and then using that information to correctly calculate the size of the meow.

Thanks to @pkova and @joemfb for helping with this.

@yosoyubik yosoyubik requested a review from a team as a code owner December 1, 2023 09:25
@belisarius222
Copy link
Contributor

When would siz_s be zero for a fragment in a non-empty response message?

@yosoyubik
Copy link
Contributor Author

I think siz_s won't be 0 for a non-empty response. What I think happens is that we have a fragment that is a bunch of 0s, but we still sign it. This makes the number of fragment in the meow take less that the expected 4 bytes but if we still increase the counter by 4, when we calculate siz_s here mew_u->siz_s = len_w - cur_w; (cur_w > len_w) which will make siz_s huge, which will in turn crash here:

  //  write response fragment data
  //
  memcpy(buf_y + cur_w, mew_u->dat_y, mew_u->siz_s);

@pkova
Copy link
Collaborator

pkova commented Dec 4, 2023

Consider the following scenario.

We are making a fine request where the response contains 65535 fragments. Almost all of the fragments look like this:

normal fragment

We are specifically concerned with the end of the UDP packet here. The last two fields are the total number of fragments and the actual fragment data. The total number of fragments is normally four bytes long, however...

The problematic scenario occurs when the fragment happens to contain all zeroes. We represent zero fragments by having the data field be completely empty, but this means that the previous field will now be variable width, like this!

zero fragment

The UDP packet just ends after two bytes! This is questionable design to say the least. This is the scenario that this PR addresses.

joemfb
joemfb approved these changes Dec 4, 2023
View reviewed changes
Copy link
Member

@joemfb joemfb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will do

@pkova pkova merged commit 3d93dc2 into develop Dec 4, 2023
5 checks passed
@pkova pkova deleted the yu/fix-remote-scry branch December 4, 2023 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joemfb joemfb joemfb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@yosoyubik @belisarius222 @pkova @joemfb