Revise `cvplist` parameter of `ydb_call_variadic_plist_func()` from type `uintptr_t` to `gparam_list*`
Final Release Note
NO RELEASE NOTE NEEDED as this is an internal change. Any ripple effect changes to wrappers will be documented in Issues for each wrapper.
Description
Currently, the ydb_call_variadic_plist_func()
function exposed in libyottadb.h
expects its cvplist
argument to be a uintptr_t
, but the function it wraps, callg_nc()
, expects this argument to be a gparam_list *
.
This type mismatch can cause heap-buffer-overflows (as reported by address sanitization detection) when the cvplist
argument passed to ydb_call_variadic_plist_func()
points to an array with a length that is not divisible by 4. This is because callg_nc()
assumes this argument will be a gparam_list
, which is guaranteed to point to a list whose length is a multiple of 4, and attempts to access list members in groups of 4.
So, if the cvplist
argument to ydb_call_variadic_plist_func()
is a uintptr_t
and points to an array of length 3, callg_nc()
will attempt to access an unallocated 4th item. That is, callg_nc()
will attempt to access cvplist[3]
, but this address will be unallocated, leading to a buffer overflow.
Accordingly, the interface to ydb_call_variadic_plist_func()
should be revised from:
int ydb_call_variadic_plist_func(ydb_vplist_func cgfunc, uintptr_t cvplist);
to:
int ydb_call_variadic_plist_func(ydb_vplist_func cgfunc, gparam_list *cvplist);
This will bring the interfaces of ydb_call_variadic_plist_func()
and callg_nc()
into conformity and thus, by default, prevent the above heap-buffer-overflow scenario from occurring in application code that uses ydb_call_variadic_plist_func()
.