RDK-60607: Coverity fix for y2k38_issue#441
RDK-60607: Coverity fix for y2k38_issue#441dshett549 wants to merge 2 commits intordkcentral:developfrom
Conversation
Signed-off-by: dshett549 <DEEPTHICHANDRASHEKAR_SHETTY@comcast.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses the Year 2038 (Y2K38) problem by converting timestamp fields from 32-bit (time_t/int32_t) to 64-bit (uint64_t) types. The Y2K38 issue occurs when 32-bit signed time_t values overflow on January 19, 2038. This change ensures the codebase can handle timestamps beyond 2038.
Changes:
- Converted timestamp fields T1-T5 in rtMessageHeader from time_t to uint64_t with corresponding encoding/decoding updates
- Changed buffer size tracking fields (bytes_read, bytes_to_read, read_buffer_capacity) from int to uint64_t to support larger buffer sizes
- Added new rtMessage_SetUInt64/GetUInt64 API functions and rtEncoder_EncodeUInt64/DecodeUInt64 encoding functions for 64-bit unsigned integer support
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| src/rtmessage/rtMessageHeader.h | Changed T1-T5 timestamp fields from time_t to uint64_t |
| src/rtmessage/rtMessageHeader.c | Updated header size calculation and encoding/decoding to use UInt64 functions, added inttypes.h include |
| src/rtmessage/rtEncoder.h | Added declarations for rtEncoder_EncodeUInt64 and rtEncoder_DecodeUInt64 |
| src/rtmessage/rtEncoder.c | Implemented 64-bit encoding/decoding functions using htobe64/be64toh |
| src/rtmessage/rtMessage.h | Added rtMessage_SetUInt64 and rtMessage_GetUInt64 API declarations |
| src/rtmessage/rtMessage.c | Implemented uint64_t message functions using string serialization with PRIu64/strtoull, added inttypes.h include |
| src/rtmessage/rtConnection.c | Updated timestamp assignments with uint64_t casts and changed rtConnection_SendInternal signature |
| src/rtmessage/rtrouteBase.h | Changed bytes_read, bytes_to_read, read_buffer_capacity from int to uint64_t |
| src/rtmessage/rtrouteBase.c | Updated timestamp assignments with uint64_t casts, changed format specifiers to %ld, fixed local variable type |
| src/rtmessage/rtrouted.c | Updated message handling to use GetUInt64/SetUInt64, changed format specifiers to %ld, fixed local variable type |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| else | ||
| { | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %d bytes. Message will be dropped.", incoming_data_size); | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); |
There was a problem hiding this comment.
Double negative "Couldn't not" should be corrected to "Couldn't" or "Could not". This is a grammatical error that makes the message confusing.
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); | |
| rtLog_Info("Could not reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); |
| else | ||
| { | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %d bytes. Message will be dropped.", incoming_data_size); | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); |
There was a problem hiding this comment.
Double negative "Couldn't not" should be corrected to "Couldn't" or "Could not". This is a grammatical error that makes the message confusing.
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); | |
| rtLog_Info("Couldn't reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); |
| clnt->read_buffer = ptr; | ||
| clnt->read_buffer_capacity = incoming_data_size; | ||
| rtLog_Info("Reallocated read buffer to %d bytes to accommodate traffic.", incoming_data_size); | ||
| rtLog_Info("Reallocated read buffer to %ld bytes to accommodate traffic.", incoming_data_size); |
There was a problem hiding this comment.
Using %ld format specifier for uint64_t is not portable across all platforms. On 32-bit systems, uint64_t may require %llu, while on 64-bit systems %ld may work but is technically incorrect. The proper portable format specifier for uint64_t is PRIu64 from inttypes.h. Note that rtMessageHeader.c already includes inttypes.h and uses PRIu64 correctly.
| else | ||
| { | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %d bytes. Message will be dropped.", incoming_data_size); | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); |
There was a problem hiding this comment.
Using %ld format specifier for uint64_t is not portable across all platforms. On 32-bit systems, uint64_t may require %llu, while on 64-bit systems %ld may work but is technically incorrect. The proper portable format specifier for uint64_t is PRIu64 from inttypes.h. Note that rtMessageHeader.c already includes inttypes.h and uses PRIu64 correctly.
| clnt->read_buffer = ptr; | ||
| clnt->read_buffer_capacity = incoming_data_size; | ||
| rtLog_Info("Reallocated read buffer to %d bytes to accommodate traffic.", incoming_data_size); | ||
| rtLog_Info("Reallocated read buffer to %ld bytes to accommodate traffic.", incoming_data_size); |
There was a problem hiding this comment.
Using %ld format specifier for uint64_t is not portable across all platforms. On 32-bit systems, uint64_t may require %llu, while on 64-bit systems %ld may work but is technically incorrect. The proper portable format specifier for uint64_t is PRIu64 from inttypes.h. Note that rtMessageHeader.c already includes inttypes.h and uses PRIu64 correctly.
| clnt->bytes_to_read += clnt->header.payload_length; | ||
| clnt->state = rtConnectionState_ReadPayload; | ||
| int incoming_data_size = clnt->bytes_to_read + clnt->bytes_read; | ||
| uint64_t incoming_data_size = clnt->bytes_to_read + clnt->bytes_read; |
There was a problem hiding this comment.
Potential integer overflow when adding clnt->bytes_to_read and clnt->bytes_read. Since both are now uint64_t, the sum could theoretically overflow, though this is extremely unlikely in practice. However, since this value is used with rt_try_realloc which typically expects size_t, and since memory allocation will fail for extremely large values anyway, the code should validate that incoming_data_size does not exceed reasonable bounds before attempting reallocation.
| uint64_t bytes_read; | ||
| uint64_t bytes_to_read; | ||
| uint64_t read_buffer_capacity; |
There was a problem hiding this comment.
The spacing/indentation for these three uint64_t fields is inconsistent. The type declaration should align properly with other fields in the struct for better readability and code consistency. Compare with the consistent spacing used for other fields like "int fd" and "rtConnectionState state".
| uint64_t bytes_read; | |
| uint64_t bytes_to_read; | |
| uint64_t read_buffer_capacity; | |
| uint64_t bytes_read; | |
| uint64_t bytes_to_read; | |
| uint64_t read_buffer_capacity; |
| else | ||
| { | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %d bytes. Message will be dropped.", incoming_data_size); | ||
| rtLog_Info("Couldn't not reallocate read buffer to accommodate %ld bytes. Message will be dropped.", incoming_data_size); |
There was a problem hiding this comment.
Using %ld format specifier for uint64_t is not portable across all platforms. On 32-bit systems, uint64_t may require %llu, while on 64-bit systems %ld may work but is technically incorrect. The proper portable format specifier for uint64_t is PRIu64 from inttypes.h. Note that rtMessageHeader.c already includes inttypes.h and uses PRIu64 correctly.
| clnt->bytes_to_read += clnt->header.payload_length; | ||
| clnt->state = rtConnectionState_ReadPayload; | ||
| int incoming_data_size = clnt->bytes_to_read + clnt->bytes_read; | ||
| uint64_t incoming_data_size = clnt->bytes_to_read + clnt->bytes_read; |
There was a problem hiding this comment.
Potential integer overflow when adding clnt->bytes_to_read and clnt->bytes_read. Since both are now uint64_t, the sum could theoretically overflow, though this is extremely unlikely in practice. However, since this value is used with rt_try_realloc which typically expects size_t, and since memory allocation will fail for extremely large values anyway, the code should validate that incoming_data_size does not exceed reasonable bounds before attempting reallocation.
| cJSON* p = cJSON_GetObjectItem(message->json, name); | ||
| if (p && p->valuestring) | ||
| { | ||
| *value = strtoull(p->valuestring, NULL, 10); |
There was a problem hiding this comment.
The strtoull function is called without error checking. If the string cannot be converted to a valid uint64_t (e.g., contains non-numeric characters, overflows), strtoull will return 0 or ULLONG_MAX and set errno, but this code doesn't check for these error conditions. Consider using the second parameter (endptr) to verify that the entire string was consumed, or check errno after the call to detect conversion errors.
Coverity Issue - Unchecked return valueCalling "pthread_mutexattr_init" without checking return value (as is done elsewhere 8 out of 10 times). Medium Impact, CWE-252 Issue locationThis issue was discovered outside the diff for this Pull Request. You can find it at: |
Coverity Issue - Overflowed integer argumentThe cast of "msginfo->header.payload_length" to a signed type could result in a negative number. High Impact, CWE-190 Issue locationThis issue was discovered outside the diff for this Pull Request. You can find it at: |
| if(header.flags & rtMessageFlags_Request) | ||
| { | ||
| header.T1 = send_time.tv_sec; | ||
| header.T1 = (uint64_t)send_time.tv_sec; |
There was a problem hiding this comment.
(uint64_t)send_time.tv_sec * 1000000000LL + ts.tv_nsec; This way we could retain the nanosec details too.
| header.T2 = T2; | ||
| header.T3 = T3; | ||
| header.T4 = send_time.tv_sec; | ||
| header.T4 = (uint64_t)send_time.tv_sec; |
|
Any idea on how this will work with #435? |
|
Closing this PR, as it is handled in other PR 442 |
Reason For Change: y2k38 issue
Signed-off-by: Deepthi DEEPTHICHANDRASHEKAR_SHETTY@comcast.com