[omniORB] bug report: data alignment error in giopStream.cc
Bastiaan Bakker
Bastiaan.Bakker@lifeline.nl
Wed, 6 Feb 2002 17:29:21 +0100
This is a multi-part message in MIME format.
------_=_NextPart_001_01C1AF2B.6E72134B
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi all,
=20
I ran into yet another bug which can crash omniORB4 corba servers. It's =
a data alignment problem in ensureSaneHeader() in giopStream.cc. Line =
737 reads:
=20
CORBA::ULong msz =3D *(CORBA::ULong*)(hdr + 8);
=20
hdr is a pointer into a giopStream_Buffer, starting at the beginning of =
a GIOP message. Most of the time the buffer contains only one message in =
which case hdr will point at the beginning of the data in the buffer. =
This is at offset 24, so if the buffer is correctly aligned so will hdr =
(and hdr + 8).=20
But if the buffer contains more than one message this no longer holds. =
The data of the second message follows directly after the first. Since =
the length of a GIOP message need not be a multiple of 4, hdr can become =
unaligned, resulting in an error in the above line. Surprisingly Solaris =
treated me on a segfault rather than a bus error.
=20
Does any of the omniORB developers know whether in other places similar =
flawed assumptions about alignment may have been made?
=20
Cheers,
=20
Bastiaan Bakker
LifeLine Networks bv
=20
------_=_NextPart_001_01C1AF2B.6E72134B
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D951245415-06022002>Hi=20
all,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D951245415-06022002></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D951245415-06022002>I ran =
into yet=20
another bug which can crash omniORB4 corba servers. It's a data =
alignment=20
problem in ensureSaneHeader() in giopStream.cc. Line 737=20
reads:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D951245415-06022002></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D951245415-06022002>CORBA::ULong msz =3D=20
*(CORBA::ULong*)(hdr + 8);</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D951245415-06022002>hdr is =
a pointer=20
into a giopStream_Buffer, starting at the beginning of a GIOP message. =
Most of=20
the time the buffer contains only one message in which case hdr will =
point=20
at the beginning of the data in the buffer. This is at offset =
24, so=20
if the buffer is correctly aligned so will hdr (and hdr +=20
8). </SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D951245415-06022002>But if =
the buffer=20
contains more than one message this no longer holds. The data of =
the second=20
message follows directly after the first. Since the length of a =
GIOP=20
message need not be a multiple of 4, hdr can become unaligned, resulting =
in an=20
error in the above line. Surprisingly Solaris treated me on a segfault =
rather=20
than a bus error.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D951245415-06022002></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D951245415-06022002>Does =
any of the=20
omniORB developers know whether in other places similar flawed =
assumptions=20
about alignment may have been made?</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D951245415-06022002></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D951245415-06022002>Cheers,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D951245415-06022002></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D951245415-06022002>Bastiaan=20
Bakker</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D951245415-06022002>LifeLine Networks=20
bv</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D951245415-06022002></SPAN></FONT> </DIV></BODY></HTML>
------_=_NextPart_001_01C1AF2B.6E72134B--