Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3941

WinXP version of thrift_poll() relies on undefined behavior by passing a destructed variable to select()

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.9.3
    • 0.10.0
    • C++ - Library
    • None

    Description

      thrift_poll() for WINVER <= 0x0502 in thrift/windows/WinFnctl.cpp shadows the 'time_out' variable, and it ends up passing the destructed copy to select():

      timeval time_out;
      timeval* time_out_ptr = NULL;
      if (timeout >= 0) {
      timeval time_out =

      {timeout / 1000, (timeout % 1000) * 1000}

      ;
      time_out_ptr = &time_out;
      } else

      { // to avoid compiler warnings (void)time_out; (void)timeout; }

      int sktready = select(1, read_fds_ptr, write_fds_ptr, NULL, time_out_ptr);

      Stepping through this code in the debugger, it looks like MSVC reserves a large enough stack frame to avoid overwriting the variable when calling select(), which may be why this hasn't been caught yet.

      Attachments

        Issue Links

          Activity

            People

              tewang Ted Wang
              tewang Ted Wang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: