add limit check for writer_count given to response::acquire_channel()

project-tsurugi · Jan 17, 2025 · 3f27805 · 3f27805
1 parent 0489be5
commit 3f27805
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 4 deletions.
diff --git a/src/tateyama/endpoint/ipc/ipc_response.cpp b/src/tateyama/endpoint/ipc/ipc_response.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2024 Project Tsurugi.
+ * Copyright 2018-2025 Project Tsurugi.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -110,6 +110,11 @@ tateyama::status ipc_response::acquire_channel(std::string_view name, std::share
         set_state(state::acquire_failed);
         return tateyama::status::unknown;
     }
+    if (writer_count > (UINT8_MAX + 1)) {
+        LOG_LP(ERROR) << "too large writer count (" << writer_count << ") given";
+        set_state(state::acquire_failed);
+        return tateyama::status::unknown;
+    }
     try {
         data_channel_ = std::make_shared<ipc_data_channel>(server_wire_->create_resultset_wires(name, writer_count), garbage_collector_);
     } catch (std::exception &ex) {

diff --git a/src/tateyama/endpoint/loopback/loopback_response.cpp b/src/tateyama/endpoint/loopback/loopback_response.cpp
@@ -14,13 +14,21 @@
  * limitations under the License.
  */
 
+#include <glog/logging.h>
+#include <tateyama/tateyama/logging_helper.h>
+
 #include "loopback_response.h"
 
 namespace tateyama::endpoint::loopback {
 
 tateyama::status loopback_response::acquire_channel(std::string_view name,
                                                     std::shared_ptr<tateyama::api::server::data_channel> &ch,
-                                                    [[maybe_unused]] std::size_t writer_count) {
+                                                    std::size_t writer_count) {
+    if (writer_count > (UINT8_MAX + 1)) {
+        LOG_LP(ERROR) << "too large writer count (" << writer_count << ") given";
+        return tateyama::status::unknown;
+    }
+
     std::unique_lock<std::mutex> lock(mtx_channel_map_);
     if (channel_map_.find(name) != channel_map_.cend()) {
         // already acquired the same name channel

diff --git a/src/tateyama/endpoint/stream/stream_response.cpp b/src/tateyama/endpoint/stream/stream_response.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright 2018-2024 Project Tsurugi.
+ * Copyright 2018-2025 Project Tsurugi.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -97,7 +97,12 @@ void stream_response::server_diagnostics(std::string_view diagnostic_record) {
     stream_->send(index_, s, true);
 }
 
-tateyama::status stream_response::acquire_channel(std::string_view name, std::shared_ptr<tateyama::api::server::data_channel>& ch, [[maybe_unused]] std::size_t writer_count) {
+tateyama::status stream_response::acquire_channel(std::string_view name, std::shared_ptr<tateyama::api::server::data_channel>& ch, std::size_t writer_count) {
+    if (writer_count > (UINT8_MAX + 1)) {
+        LOG_LP(ERROR) << "too large writer count (" << writer_count << ") given";
+        set_state(state::acquire_failed);
+        return tateyama::status::unknown;
+    }
     try {
         auto slot = stream_->look_for_slot();
         data_channel_ = std::make_unique<stream_data_channel>(stream_, slot);