osmocom
/
libosmocore
mirror of https://gerrit.osmocom.org/libosmocore
11
0
Fork 0
Code Issues Releases Wiki Activity

osmo_fsm_inst_state_chg(): clamp timeout_secs to <= ~68 years 

During testing of the upcoming tdef API, it became apparent that passing very
large timeout values to osmo_fsm_inst_state_chg() wraps back in the number
range, and might actually result in effectively very short timeouts instead.

Since time_t's range is not well defined across platforms, use a reasonable
maximum value of signed 32 bit integer. Hence this will be safe at least on
systems with an int32_t for struct timeval.tv_sec and larger.

Clamp the osmo_fsm_inst_state_chg() timeout_secs argument to a maximum of
0x7fffffff, which amounts to just above 68 years:
float(0x7fffffff) / (60. * 60 * 24 * 365.25) = 68.04965038532715

(In upcoming patch Ibd6b1ed7f1bd6e1f2e0fde53352055a4468f23e5, this can be
verified to work by invoking tdef_test manually with a cmdline argument passed
to enable the range check.)

Change-Id: I35ec4654467b1d6040c8aa215049766089e5e64a
This commit is contained in:
Neels Hofmeyr 2019-01-28 19:06:53 +01:00
parent bd5a1dc84f
commit 89991fdb7c
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/fsm.c
View File

@ -437,6 +437,11 @@ static int state_chg(struct osmo_fsm_inst *fi, uint32_t new_state,
uint32_t old_state = fi->state;
const struct osmo_fsm_state *st = &fsm->states[fi->state];
/* Limit to 0x7fffffff seconds as explained by
* _osmo_fsm_inst_state_chg()'s API doc. */
if (timeout_secs > 0x7fffffff)
timeout_secs = 0x7fffffff;
/* validate if new_state is a valid state */
if (!(st->out_state_mask & (1 << new_state))) {
LOGPFSMLSRC(fi, LOGL_ERROR, file, line,
@ -493,9 +498,16 @@ static int state_chg(struct osmo_fsm_inst *fi, uint32_t new_state,
* timer_cb. If passing timeout_secs == 0, it is recommended to also pass T ==
* 0, so that fi->T is reset to 0 when no timeout is invoked.
*
* Range: since time_t's maximum value is not well defined in a cross platform
* way, clamp timeout_secs to the maximum of the signed 32bit range, or roughly
* 68 years (float(0x7fffffff) / (60. * 60 * 24 * 365.25) = 68.0497). Thus
* ensure that very large timeouts do not wrap around to become very small
* ones. Note though that this might still be unsafe on systems with a time_t
* range below 32 bits.
*
* \param[in] fi FSM instance whose state is to change
* \param[in] new_state The new state into which we should change
* \param[in] timeout_secs Timeout in seconds (if !=0)
* \param[in] timeout_secs Timeout in seconds (if !=0), maximum-clamped to 2147483647 seconds.
* \param[in] T Timer number (if \ref timeout_secs != 0)
* \param[in] file Calling source file (from osmo_fsm_inst_state_chg macro)
* \param[in] line Calling source line (from osmo_fsm_inst_state_chg macro)