Please report new issues athttps://github.com/DOCGroup
TAO VERSION: 2.2.1 ACE VERSION: 6.2.1 HOST MACHINE and OPERATING SYSTEM: Linux Debian 7.0 on amd64 COMPILER NAME AND VERSION (AND PATCHLEVEL): gcc (Debian 4.7.2-5) THE $ACE_ROOT/ace/config.h FILE: config-linux.h THE $ACE_ROOT/include/makeinclude/platform_macros.GNU FILE: platform_linux.GNU CONTENTS OF $ACE_ROOT/bin/MakeProjectCreator/config/default.features: unmodified AREA/CLASS/EXAMPLE AFFECTED: TAO_IDL ? DOES THE PROBLEM AFFECT: EXECUTION? YES SYNOPSIS: When - TAO server runs with ISO8859-1 as native codeset for chars - client negotiates UTF-8 encoding - client sends *invalid* UTF-8 sequence TAO server receives NULL pointer as parameter for string DESCRIPTION: ============== * IDL: typedef sequence<octet> OctetSeq; interface CorbaSimple { OctetSeq hello_s (in string s); }; ============== * Implementation OctetSeq CorbaSimple_i::hello_s (const char* s) { if (!s) std::cout << "GOT NULL" << std::endl; return new OctetSeq; } ============== * TAO server starts with no codeset options specified. byte jim[]= { (byte)0xef, (byte)0xbf, (byte)0xbd }; ============== Jacorb client code snippet: byte badbytes[]= { (byte)0xbd }; String inp = new String (badbytes, "UTF-8"); byte[] rv = srv.hello_s (inp); While the client is obviously misbehaving, I believe TAO server should never pass NULL pointer to application code. Here is portion of debug output with -ORBDebugLevel 10: GIOP message - HEXDUMP 134 bytes 47 49 4f 50 01 02 00 00 00 00 00 7a 00 00 00 00 GIOP.......z.... 03 00 00 00 00 00 00 00 00 00 00 3e 14 01 0f 00 ...........>.... 4e 55 50 00 00 00 20 01 00 00 00 01 00 00 00 52 NUP... ........R 6f 6f 74 50 4f 41 00 43 6f 72 62 61 53 69 6d 70 ootPOA.CorbaSimp 6c 65 5f 50 4f 41 00 00 00 00 00 01 00 00 00 43 le_POA.........C 6f 72 62 61 53 69 6d 70 6c 65 00 00 00 00 00 08 orbaSimple...... 68 65 6c 6c 6f 5f 73 00 00 00 00 01 00 00 00 01 hello_s......... 00 00 00 0c 00 00 00 00 05 01 00 01 00 01 01 09 ................ 00 00 00 02 fd 00 ...... TAO (5827|140450518775552) - Codeset_Manager_i::process_service_context, using tcsc <UTF-8> (05010001), tcsw <UTF-16> (00010109) (140450518775552) calling CorbaSimple_i::hello in file `CorbaSimple_i.cpp' on line 48 (5827|140450518775552|2014-05-28 15:09:26.839608) DIED... (140450518775552) leaving CorbaSimple_i::hello TAO (5827|140450518775552) - GIOP_Message_Base::dump_msg, send GIOP message v1.2, 16 data bytes, my endian, Type Reply[0] GIOP message - HEXDUMP 28 bytes 47 49 4f 50 01 02 01 01 10 00 00 00 00 00 00 00 GIOP............ 00 00 00 00 00 00 00 00 00 00 00 00 ............
Further analysis: The stack trace: #0 TAO_2_2_1::TAO_InputCDR::throw_skel_exception (error_num=0) at CDR.cpp:360 #1 0x00007ff33e4acfc3 in TAO_2_2_1::TAO::Upcall_Wrapper::pre_upcall (this=0x7ff33aebb30f, cdr=..., args=0x7ff33aebb310, nargs=2) at Upcall_Wrapper.cpp:236 #2 0x00007ff33e4acb28 in TAO_2_2_1::TAO::Upcall_Wrapper::upcall (this=0x7ff33aebb30f, server_request=..., args=0x7ff33aebb310, nargs=2, command=..., servant_upcall=0x7ff33aebb450, exceptions=0x0, nexceptions=0) at Upcall_Wrapper.cpp:46 #3 0x00007ff33b6dd24e in POA_mpathix::test::CorbaSimple::hello_s_skel (server_request=..., servant_upcall=0x7ff33aebb450, servant=0x1c2c300) at CorbaSimpleS.cpp:355 Faulty behaviour: - TAO_UTF8_Latin1_Translator::read_string: . detects invalid UTF-8 sequence . de-allocates the string . does *not* set errno . returns 0 - TAO::Upcall_Wrapper::pre_upcall invokes TAO_InputCDR::throw_skel_exception(errno), errno happens to be 0 - TAO_InputCDR::throw_skel_exception(0) is a no-op - as a result MyServant::op () is invoked with NULL pointer for string argument It appears that: - all execution paths in TAO_InputCDR::read* and TAO_OutputCDR::write* returning 0 should simultaneously set errno, *or* Upcall_Wrapper::pre_upcall should set one if it wasn't set. - TAO_InputCDR::throw_(skel/stub)_exception should 'assert(error_number!=0)'
Asserts are bad, shouldn't do that. What is the exception and minor code the client should get?
(In reply to comment #2) > Asserts are bad, shouldn't do that. I guess that is a point of view. My take on it is that this bug could have been detected a lot earlier if there were assert in those lines. It doesn't feel right to throw an exception if error_code==0. I remember seeing NULL ptrs once in a blue moon, never figured out where they come from... > What is the exception and minor code the client should get? Not too sure about this. For this partucular case (bad UTF-8 sequence) reading from 04-03-12.pdf, chapter 13.10.2.6 "Code Set Negotiation" > A DATA_CONVERSION exception is raised when a client or server attempts > to transmit a character that does not map into the negotiated > transmission code set. For example, not all characters in Taiwan Chinese map > into Unicode. When an attempt is made to transmit one of these characters via > Unicode, an ORB is required to raise a DATA_CONVERSION exception, with standard > minor code 1. so, it looks like errno should be set to ERANGE, for this case.
Created attachment 1491 [details] Prevent invoking servant with NULL pointer for in string parameter Proposed patch: - Upcall_Wrapper.cpp, AMI_Arguments_Converter_Impl.cpp, DII_Arguments_Converter_Impl.cpp Rake sure TAO_{Input/Output}CDR::throw_skel_exception is always invoked with non zero argument. Use errno, or EPROTO if errno is not set. EPROTO will throw CORBA::MARSHAL exception. - UTF8_Latin1_Translator::read_string set errno to ERANGE when UTF-8 sequence cannot be translated to ISO8859-1 char. This will generate CORBA::DATA_CONVERSION with minor code 1
It could be that the throw_skel_exception/throw_stub_exception are called from places that are not in our repo (some extensions), therefor it would be better to handle a errno of 0 in these methods itself instead of in the calling code. That would reduce the amount of changes also Also it is pretty expensive to use errno on some platforms
The problem is that the interface to TAO::Argument is not stipulating anything about using errno, and TAO::Upcall_Wrapper,TAO_UTF8_Latin1_Translator,and TAO_{Input,Output}CDR are using it incosistently. The only way not to break any of 3rd party libs relying on this assumption is to actually go through the all possible execution paths in TAO_UTF8_Latin1_Translator (and presumably TAO_UTF16_BOM_Translator), and make sure errno is set when 0 is returned. My patch modified TAO::Upcall_Wrapper::pre_upcall and similar functions to replace this loop for (TAO::Argument * const * i = begin; i != end; ++i) if (!(*i)->demarshal (cdr)) TAO_InputCDR::throw_skel_exception (errno ? errno : EPROTO); with for (TAO::Argument * const * i = begin; i != end; ++i) if (!(*i)->demarshal (cdr)) TAO_InputCDR::throw_skel_exception (errno); This has a potential to break codeset translation libs which assumed that when errno==0, no exception should be thrown, even though demarsharl() returns 0. (the errno usage is subotimal, since is used twice, but that would be easy to avoid by introducing local int var...)
When looking at Svn history I still stay with my idea, but this has to be tested
I just became aware of this bug. Back in the day, when implementing the codeset translation feature, I needed a way to indicate different errors to raise various spec defined exceptions. When I created the helper functions, I made two mistakes. First, I assumed that all CDR functions set errno. They do not. The solution for this is to initialize errno prior to marshaling operations. The second mistake, for which I cannot recall a motivation, was to assume errno of 0 is not an error. In all cases, the various throw_*_exceptions are called when marshaling fails. At that point message processing should stop and an exception raised, even when the errno is 0. I have a test driver provided to me by a customer. I need to recreate that in a fashion that will fit our test suite. That will happen this week.
taking
Phil, is this fixed?
It is fixed but I never got around to building the test I mentioned. Here's the change log, I actually fixed it before I found this bug. Fri Aug 29 20:26:57 UTC 2014 Phil Mesnier <mesnier_p@ociweb.com> * tao/CDR.cpp: * tao/DynamicInterface/DII_Arguments_Converter_Impl.cpp: * tao/Messaging/AMI_Arguments_Converter_Impl.cpp: * tao/PortableServer/Upcall_Wrapper.cpp: Fixed a vulnerability. In cases where errno happened to be zero when demarshaling a malformed string (length > available buffer) does not result in an exception being raised, rather a null char * will be passed to the servant. Also ensured the errno is set to a known state as CDR does not set errno in all failure cases, but always returns the status of the goodbit, so a demashal fail with an errno of zero still needs to raise the appropriate MARSHAL exception.