From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp34.i.mail.ru (smtp34.i.mail.ru [94.100.177.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 414A1445320 for ; Fri, 10 Jul 2020 15:01:11 +0300 (MSK) From: Roman Khabibov Date: Fri, 10 Jul 2020 15:01:09 +0300 Message-Id: <20200710120109.91675-1-roman.habibov@tarantool.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [Tarantool-patches] [PATCH] serilaizer: check for recursive serialization List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: tarantool-patches@dev.tarantool.org Add a limit to the number of calls to the __serialize function. Throw error in case of very deep (most likely endless) recursion. Closes #3228 --- Branch: https://github.com/tarantool/tarantool/tree/romanhabibov/gh-3228-serialize Issue: https://github.com/tarantool/tarantool/issues/3228 @ChangeLog - Fix bug with bus error when __serialize function generates infinite recursion. src/lua/utils.c | 8 ++++++++ ...-3228-serializer-look-for-recursion.result | 19 +++++++++++++++++++ ...228-serializer-look-for-recursion.test.lua | 8 ++++++++ 3 files changed, 35 insertions(+) create mode 100644 test/app/gh-3228-serializer-look-for-recursion.result create mode 100644 test/app/gh-3228-serializer-look-for-recursion.test.lua diff --git a/src/lua/utils.c b/src/lua/utils.c index 0b05d7257..7e55d43f1 100644 --- a/src/lua/utils.c +++ b/src/lua/utils.c @@ -50,6 +50,9 @@ static uint32_t CTID_CONST_CHAR_PTR; static uint32_t CTID_UUID; uint32_t CTID_DECIMAL; +enum { + SERIALIZER_CRITICAL_RECURSION_DEPTH = 256 +}; void * luaL_pushcdata(struct lua_State *L, uint32_t ctypeid) @@ -490,6 +493,11 @@ static int lua_field_try_serialize(struct lua_State *L, struct luaL_serializer *cfg, int idx, struct luaL_field *field) { + if (idx > SERIALIZER_CRITICAL_RECURSION_DEPTH) { + diag_set(LuajitError, LUAL_SERIALIZE " generates too deep " + "recursion"); + return -1; + } if (luaL_getmetafield(L, idx, LUAL_SERIALIZE) == 0) return 1; if (lua_isfunction(L, -1)) { diff --git a/test/app/gh-3228-serializer-look-for-recursion.result b/test/app/gh-3228-serializer-look-for-recursion.result new file mode 100644 index 000000000..f105bfae9 --- /dev/null +++ b/test/app/gh-3228-serializer-look-for-recursion.result @@ -0,0 +1,19 @@ +-- test-run result file version 2 +test_run = require('test_run').new() + | --- + | ... + +-- +-- gh-3228: Check the error message in the case of a __serialize +-- function generating infinite recursion. +-- +setmetatable({}, {__serialize = function(a) return a end}) + | --- + | - error: 'console: an exception occurred when formatting the output: __serialize generates + | too deep recursion' + | ... +setmetatable({}, {__serialize = function(a, b, c) return a, b, c end}) + | --- + | - error: 'console: an exception occurred when formatting the output: __serialize generates + | too deep recursion' + | ... diff --git a/test/app/gh-3228-serializer-look-for-recursion.test.lua b/test/app/gh-3228-serializer-look-for-recursion.test.lua new file mode 100644 index 000000000..d3c76ef0c --- /dev/null +++ b/test/app/gh-3228-serializer-look-for-recursion.test.lua @@ -0,0 +1,8 @@ +test_run = require('test_run').new() + +-- +-- gh-3228: Check the error message in the case of a __serialize +-- function generating infinite recursion. +-- +setmetatable({}, {__serialize = function(a) return a end}) +setmetatable({}, {__serialize = function(a, b, c) return a, b, c end}) -- 2.21.0 (Apple Git-122)