Skip to content

fix(telemetry): cap dependency name length to copied bytes#3538

Merged
morrisonlevi merged 1 commit intomasterfrom
levi/copylen
Dec 18, 2025
Merged

fix(telemetry): cap dependency name length to copied bytes#3538
morrisonlevi merged 1 commit intomasterfrom
levi/copylen

Conversation

@morrisonlevi
Copy link
Copy Markdown
Collaborator

@morrisonlevi morrisonlevi commented Dec 18, 2025
edited
Loading

Description

Example numbers for bug:

  • namelen = 500 (module name is 500 chars long)
  • copylen = min(256, 500) = 256

Memory we actually have in the stack buffer:

  • "ext-" + 256 bytes of name = 260 bytes total

But we were sending:

  • CharSlice.len = namelen + 4 = 504

So Rust would try to read 504 bytes from a buffer that only contains 260 valid bytes, causing an out-of-bounds read.

I am not aware of any crashes that are happening directly because of this, meaning, I'm not aware of any modules which have names that long. However, this function is involved in crash reports, so that's where the additional scrutiny is coming from.

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Dec 18, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.73%. Comparing base (2fa9b2e) to head (bfb7ae6).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3538      +/-   ##
==========================================
- Coverage   61.74%   61.73%   -0.02%     
==========================================
  Files         143      143              
  Lines       13045    13045              
  Branches     1704     1704              
==========================================
- Hits         8055     8053       -2     
- Misses       4228     4231       +3     
+ Partials      762      761       -1

see 1 file with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2fa9b2e...bfb7ae6. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Dec 18, 2025

Benchmarks [ tracer ]

Benchmark execution time: 2025-12-18 02:46:04

Comparing candidate commit bfb7ae6 in PR branch levi/copylen with baseline commit 2fa9b2e in branch master.

Found 1 performance improvements and 2 performance regressions! Performance is the same for 191 metrics, 0 unstable metrics.

scenario:ComposerTelemetryBench/benchTelemetryParsing

  • 🟥 execution_time [+347.366ns; +1252.634ns] or [+3.277%; +11.817%]

scenario:MessagePackSerializationBench/benchMessagePackSerialization-opcache

  • 🟥 execution_time [+4.491µs; +5.749µs] or [+4.214%; +5.394%]

scenario:TraceSerializationBench/benchSerializeTrace

  • 🟩 execution_time [-38.646µs; -28.554µs] or [-8.648%; -6.390%]

@morrisonlevi morrisonlevi marked this pull request as ready for review December 18, 2025 16:31
@morrisonlevi morrisonlevi requested a review from a team as a code owner December 18, 2025 16:31
@morrisonlevi morrisonlevi merged commit 5b09e4d into master Dec 18, 2025
2007 of 2008 checks passed
@morrisonlevi morrisonlevi deleted the levi/copylen branch December 18, 2025 16:51
@github-actions github-actions Bot added this to the 1.16.0 milestone Dec 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Leiyks Leiyks Leiyks approved these changes

Assignees

No one assigned

Labels

crashtracker-identified identified-by:crashtracking

Projects

None yet

Milestone

1.16.0

Development

Successfully merging this pull request may close these issues.

3 participants

@morrisonlevi @codecov-commenter @Leiyks