Harden core RPC marshalling, decode, and message parsing against corrupted data#258
Merged
Conversation
added 9 commits
June 25, 2026 08:17
rpc_client_matcher::on_recv_reply decodes the ERR_FORWARD_TO_OTHERS forward address via try_unmarshall and delivers ERR_NETWORK_FAILURE to the waiting caller on a decode failure, instead of forwarding to a garbage address. command_manager::run_command returns false when a remote CLI response cannot be decoded, and partition_resolver_simple surfaces a config-response decode failure through client_err rather than throwing past the resolve callback. Update rDSN.dist.service submodule pointer to pick up the meta/replica RPC request-handler hardening.
Cover try_marshall and try_unmarshall success and failure paths with focused rpc_message tests. The tests verify null-message handling, invalid format handling, and a successful string round-trip through a receive-mode message copy. Update rDSN.dist.service submodule to allow DSF_INVALID for opaque mutation-log records while still rejecting out-of-range serialization values.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the core serialization/RPC layer and network message parsers so
malformed or fault-injected data is rejected cleanly instead of asserting,
aborting, or dereferencing null. Bumps the
rDSN.dist.servicesubmodule to pickup the matching meta/replica hardening.
Changes
include/dsn/cpp/serialization.h,serialization_helper/thrift_helper.h,clientlet.h,rpc_stream.h,serverlet.h,src/dev/cpp/utils.cpp):marshall()throws instead ofasserting on invalid input/format/writer failure; added
try_marshall()/try_unmarshall(); typed client/server request/reply paths route through thechecked wrappers.
binary_readerstring/blob/buffer reads rejectnegative/over-long lengths.
src/core/src/rpc_engine.cpp,command_manager.cpp,dist.uri.resolver/partition_resolver_simple.cpp):on_recv_replydecodesthe
ERR_FORWARD_TO_OTHERSforward address viatry_unmarshalland deliversERR_NETWORK_FAILUREon failure instead of forwarding to a garbage address;run_commandreturnsfalseon undecodable CLI response; resolver surfacesconfig-response decode failure via
client_err.src/plugins/tools.common/thrift_message_parser.cpp):reject malformed thrift input through the parser error path instead of
dereferencing a null
parse_message()result; catch decode exceptions aroundreadMessageBegin; free the temporarymessage_exon all failure paths;replace the request-only
dassertwith checked rejection of non-requestmessages.
src/plugins/tools.common/fault_injector.cpp): safehandling of injected header/body corruption.
src/core/src/rpc_message.test.cpp): covertry_marshall/try_unmarshallnull-message, invalid-format, and string round-trip paths.rDSN.dist.serviceto the hardened revision.