Change in libosmocore[master]: osmo_fsm_inst_state_chg(): clamp timeout_secs to <= ~68 years

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Neels Hofmeyr gerrit-no-reply at lists.osmocom.org
Mon Jan 28 23:57:03 UTC 2019 

Neels Hofmeyr has uploaded this change for review. ( https://gerrit.osmocom.org/12716


Change subject: osmo_fsm_inst_state_chg(): clamp timeout_secs to <= ~68 years
......................................................................

osmo_fsm_inst_state_chg(): clamp timeout_secs to <= ~68 years

During testing of the upcoming tdef API, it became apparent that passing very
large timeout values to osmo_fsm_inst_state_chg() wraps back in the number
range, and might actually result in effectively very short timeouts instead.

Since time_t's range is not well defined across platforms, use a reasonable
maximum value of signed 64 bit integer. Hence this will be safe at least on
systems with an int64_t for struct timeval.tv_sec and larger.

Clamp the osmo_fsm_inst_state_chg() timeout_secs argument to a maximum of
0x7fffffff, which amounts to just above 68 years:
float(0x7fffffff) / (60. * 60 * 24 * 365.25) = 68.04965038532715

(In upcoming patch Ibd6b1ed7f1bd6e1f2e0fde53352055a4468f23e5, this can be
verified to work by invoking tdef_test manually with a cmdline argument passed
to enable the range check.)

Change-Id: I35ec4654467b1d6040c8aa215049766089e5e64a
---
M src/fsm.c
1 file changed, 13 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/16/12716/1

diff --git a/src/fsm.c b/src/fsm.c
index ae7c0f5..33a5bbd 100644
--- a/src/fsm.c
+++ b/src/fsm.c
@@ -437,6 +437,11 @@
 	uint32_t old_state = fi->state;
 	const struct osmo_fsm_state *st = &fsm->states[fi->state];
 
+	/* Limit to 0x7fffffff seconds as explained by
+	 * _osmo_fsm_inst_state_chg()'s API doc. */
+	if (timeout_secs > 0x7fffffff)
+		timeout_secs = 0x7fffffff;
+
 	/* validate if new_state is a valid state */
 	if (!(st->out_state_mask & (1 << new_state))) {
 		LOGPFSMLSRC(fi, LOGL_ERROR, file, line,
@@ -493,9 +498,16 @@
  *  timer_cb. If passing timeout_secs == 0, it is recommended to also pass T ==
  *  0, so that fi->T is reset to 0 when no timeout is invoked.
  *
+ *  Range: since time_t's maximum value is not well defined in a cross platform
+ *  way, clamp timeout_secs to the maximum of the signed 64bit range, or roughly
+ *  68 years (float(0x7fffffff) / (60. * 60 * 24 * 365.25) = 68.0497). Thus
+ *  ensure that very large timeouts do not wrap around to become very small
+ *  ones. Note though that this might still be unsafe on systems with a time_t
+ *  range below 64 bits.
+ *
  *  \param[in] fi FSM instance whose state is to change
  *  \param[in] new_state The new state into which we should change
- *  \param[in] timeout_secs Timeout in seconds (if !=0)
+ *  \param[in] timeout_secs Timeout in seconds (if !=0), maximum-clamped to 2147483647 seconds.
  *  \param[in] T Timer number (if \ref timeout_secs != 0)
  *  \param[in] file Calling source file (from osmo_fsm_inst_state_chg macro)
  *  \param[in] line Calling source line (from osmo_fsm_inst_state_chg macro)

-- 
To view, visit https://gerrit.osmocom.org/12716
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I35ec4654467b1d6040c8aa215049766089e5e64a
Gerrit-Change-Number: 12716
Gerrit-PatchSet: 1
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190128/73b76699/attachment.htm>

More information about the gerrit-log mailing list