Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix decoding of truncated messages containing variable length arrays [AP-948] #1381

Merged
merged 1 commit into from
Nov 21, 2023
Merged

Fix decoding of truncated messages containing variable length arrays [AP-948] #1381

merged 1 commit into from
Nov 21, 2023

Conversation

woodfell
Copy link
Contributor

@woodfell woodfell commented Nov 21, 2023
edited
Loading

Description

@swift-nav/devinfra

If an SBP message has a variable length array of some type, when decoding a input wire encoded buffer which has been truncated the decoder will not produce an error when it should.

Imagine a message containing some amount of overhead, then a variable length array of some type.

+---------------------------------------+
| header | elem0 | elem1 | .... | elemN |
+---------------------------------------+

In this message the array is not fixed length, rather the number of elements is variable and is calculated from the size of the input buffer:

num_elems = (sizeof(input_buffer) - sizeof(header)) / sizeof(elem)

Decoding of each element is then performed in a loop:

for (int i = 0; i < num_elems; i++) {
  result = decode_elem(buffer, &output[i]);
}

If the size of the header is 3 bytes and the size of each element is 4 bytes an example representation on the wire could be:
offset

      0   1   2   3   4   5   6   7   8   9   A   
      +-----------+---------------+---------------+
      | header    | elem0         | elem1         |
      +-----------+---------------+---------------+

And so long as this is what’s fed in to the decoder then num_elems will be correctly calculated as 2 and all input data will be consumed.

But if the input buffer is somehow truncated:

offset
      0   1   2   3   4   5   6   7   8   
      +-----------+---------------+-------|
      | header    | elem0         | elem1 |
      +-----------+---------------+-------|
                                          ^
                                          abnormally truncated at this point

then due to integer rounding num_elems will be calculated as 1. Only the first element of the array will be decoded (and it will succeed), but the truncated data at the end of the input buffer will not be considered at all.

The correct behaviour in this situation should be for the decoder to notice that the input buffer does not contain an integer number of elements in the variable length array and return an error

API compatibility

Does this change introduce a API compatibility risk?

No

API compatibility plan

If the above is "Yes", please detail the compatibility (or migration) plan:

N/A

JIRA Reference

https://swift-nav.atlassian.net/browse/AP-948

woodfell
woodfell commented Nov 21, 2023
View reviewed changes
generator/sbpg/targets/resources/c/src/sbp_messages_template.c
@@ -218,6 +218,9 @@ bool (((m.internal_decode_fn)))(sbp_decode_ctx_t *ctx, (((m.type_name))) *msg)
if (!(((f.decode_fn)))(ctx, &(((field)))[i])) { return false; }
}
((*- elif f.packing == "variable-array" *))
if ( ((ctx->buf_len - ctx->offset) % (((f.encoded_len_macro)))) != 0) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only change in need of review, everything else is generated

@woodfell woodfell marked this pull request as ready for review November 21, 2023 02:10
@woodfell woodfell requested review from jungleraptor and a team as code owners November 21, 2023 02:10
@woodfell
Copy link
Contributor Author

Note code coverage is going to fail for the moment, I'm working on increasing it on separate PRs

RReichert
RReichert approved these changes Nov 21, 2023
View reviewed changes
Copy link
Contributor

@RReichert RReichert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch

Base automatically changed from woodfell/fix_incorrect_string_encoding to master November 21, 2023 02:48
@woodfell woodfell force-pushed the woodfell/fix_decoding_of_truncated_messages branch from c6dafad to 28afe31 Compare November 21, 2023 02:48
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 21, 2023

[libsbp-c] SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
20.5% 20.5% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@woodfell woodfell enabled auto-merge (squash) November 21, 2023 02:55
ghufrankhan7
ghufrankhan7 approved these changes Nov 21, 2023
View reviewed changes
Copy link

@ghufrankhan7 ghufrankhan7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@woodfell woodfell merged commit b2fce6d into master Nov 21, 2023
21 of 22 checks passed
@woodfell woodfell deleted the woodfell/fix_decoding_of_truncated_messages branch November 21, 2023 03:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghufrankhan7 ghufrankhan7 ghufrankhan7 approved these changes

@RReichert RReichert RReichert approved these changes

@jungleraptor jungleraptor Awaiting requested review from jungleraptor

@notoriaga notoriaga Awaiting requested review from notoriaga

@pcrumley pcrumley Awaiting requested review from pcrumley

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodfell @RReichert @ghufrankhan7