From a38ce3dc3bba5cc5947928e94cea87c054a3b9ad Mon Sep 17 00:00:00 2001
From: yihaoDeng <luomoxyz@126.com>
Date: Mon, 2 Dec 2024 17:46:00 +0800
Subject: [PATCH 1/2] add msg len check

---
 include/util/taoserror.h              |  1 +
 source/libs/transport/inc/transComm.h |  1 +
 source/libs/transport/src/transCli.c  | 19 ++++++++++++++++---
 source/util/src/terror.c              |  1 +
 4 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/include/util/taoserror.h b/include/util/taoserror.h
index 6caac066de..42d4ccf535 100644
--- a/include/util/taoserror.h
+++ b/include/util/taoserror.h
@@ -97,6 +97,7 @@ int32_t  taosGetErrSize();
 #define TSDB_CODE_RPC_ASYNC_IN_PROCESS          TAOS_DEF_ERROR_CODE(0, 0x0028)
 #define TSDB_CODE_RPC_NO_STATE                  TAOS_DEF_ERROR_CODE(0, 0x0029)
 #define TSDB_CODE_RPC_STATE_DROPED              TAOS_DEF_ERROR_CODE(0, 0x002A) 
+#define TSDB_CODE_RPC_MSG_EXCCED_LIMIT          TAOS_DEF_ERROR_CODE(0, 0x002B) 
 
 //common & util
 #define TSDB_CODE_OPS_NOT_SUPPORT               TAOS_DEF_ERROR_CODE(0, 0x0100) //
diff --git a/source/libs/transport/inc/transComm.h b/source/libs/transport/inc/transComm.h
index 2ba88cdcc6..6ec5f74f62 100644
--- a/source/libs/transport/inc/transComm.h
+++ b/source/libs/transport/inc/transComm.h
@@ -99,6 +99,7 @@ typedef void* queue[2];
 #define TRANS_CONN_TIMEOUT 5000  // connect timeout (ms)
 #define TRANS_READ_TIMEOUT 3000  // read timeout  (ms)
 #define TRANS_PACKET_LIMIT 1024 * 1024 * 512
+#define TRANS_MSG_LIMIT    (TRANS_PACKET_LIMIT - sizeof(STransMsgHead))
 
 #define TRANS_MAGIC_NUM           0x5f375a86
 #define TRANS_NOVALID_PACKET(src) ((src) != TRANS_MAGIC_NUM ? 1 : 0)
diff --git a/source/libs/transport/src/transCli.c b/source/libs/transport/src/transCli.c
index c62b8d21c9..2bf4cda7fa 100644
--- a/source/libs/transport/src/transCli.c
+++ b/source/libs/transport/src/transCli.c
@@ -377,6 +377,12 @@ static FORCE_INLINE void logConnMissHit(SCliConn* pConn);
 
 static void* cliWorkThread(void* arg);
 
+static bool isReqExccedLimit(STransMsg* pMsg) {
+  if (pMsg != NULL && pMsg->contLen >= TRANS_MSG_LIMIT) {
+    return true;
+  }
+  return false;
+}
 int32_t cliGetConnTimer(SCliThrd* pThrd, SCliConn* pConn) {
   uv_timer_t* timer = taosArrayGetSize(pThrd->timerList) > 0 ? *(uv_timer_t**)taosArrayPop(pThrd->timerList) : NULL;
   if (timer == NULL) {
@@ -3209,6 +3215,10 @@ _exception:
 }
 
 int32_t transSendRequest(void* pInstRef, const SEpSet* pEpSet, STransMsg* pReq, STransCtx* ctx) {
+  if (isReqExccedLimit(pReq)) {
+    return TSDB_CODE_RPC_MSG_EXCCED_LIMIT;
+  }
+
   STrans* pInst = (STrans*)transAcquireExHandle(transGetInstMgt(), (int64_t)pInstRef);
   if (pInst == NULL) {
     transFreeMsg(pReq->pCont);
@@ -3236,9 +3246,6 @@ int32_t transSendRequest(void* pInstRef, const SEpSet* pEpSet, STransMsg* pReq,
     return (code == TSDB_CODE_RPC_ASYNC_MODULE_QUIT ? TSDB_CODE_RPC_MODULE_QUIT : code);
   }
 
-  // if (pReq->msgType == TDMT_SCH_DROP_TASK) {
-  //   TAOS_UNUSED(transReleaseCliHandle(pReq->info.handle));
-  // }
   transReleaseExHandle(transGetInstMgt(), (int64_t)pInstRef);
   return 0;
 
@@ -3255,6 +3262,9 @@ int32_t transSendRequestWithId(void* pInstRef, const SEpSet* pEpSet, STransMsg*
   if (transpointId == NULL) {
     return TSDB_CODE_INVALID_PARA;
   }
+  if (isReqExccedLimit(pReq)) {
+    return TSDB_CODE_RPC_MSG_EXCCED_LIMIT;
+  }
   int32_t code = 0;
   int8_t  transIdInited = 0;
 
@@ -3306,6 +3316,9 @@ _exception:
 }
 
 int32_t transSendRecv(void* pInstRef, const SEpSet* pEpSet, STransMsg* pReq, STransMsg* pRsp) {
+  if (isReqExccedLimit(pReq)) {
+    return TSDB_CODE_RPC_MSG_EXCCED_LIMIT;
+  }
   STrans* pInst = (STrans*)transAcquireExHandle(transGetInstMgt(), (int64_t)pInstRef);
   if (pInst == NULL) {
     transFreeMsg(pReq->pCont);
diff --git a/source/util/src/terror.c b/source/util/src/terror.c
index fe99fe39a9..6220a18572 100644
--- a/source/util/src/terror.c
+++ b/source/util/src/terror.c
@@ -63,6 +63,7 @@ TAOS_DEFINE_ERROR(TSDB_CODE_RPC_ASYNC_MODULE_QUIT,        "rpc async module alre
 TAOS_DEFINE_ERROR(TSDB_CODE_RPC_ASYNC_IN_PROCESS,         "rpc async in process")               
 TAOS_DEFINE_ERROR(TSDB_CODE_RPC_NO_STATE,                 "rpc no state")               
 TAOS_DEFINE_ERROR(TSDB_CODE_RPC_STATE_DROPED,             "rpc state already dropped")               
+TAOS_DEFINE_ERROR(TSDB_CODE_RPC_MSG_EXCCED_LIMIT,          "rpc msg exceed limit")               
 
 //common & util
 TAOS_DEFINE_ERROR(TSDB_CODE_TIME_UNSYNCED,                "Client and server's time is not synchronized")

From d7aae7dcf3daf776d5f809ea026a013dcaa386ac Mon Sep 17 00:00:00 2001
From: yihaoDeng <luomoxyz@126.com>
Date: Mon, 2 Dec 2024 17:49:37 +0800
Subject: [PATCH 2/2] add msg len check

---
 source/libs/transport/src/transCli.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source/libs/transport/src/transCli.c b/source/libs/transport/src/transCli.c
index 2bf4cda7fa..a90c546796 100644
--- a/source/libs/transport/src/transCli.c
+++ b/source/libs/transport/src/transCli.c
@@ -377,7 +377,7 @@ static FORCE_INLINE void logConnMissHit(SCliConn* pConn);
 
 static void* cliWorkThread(void* arg);
 
-static bool isReqExccedLimit(STransMsg* pMsg) {
+static bool isReqExceedLimit(STransMsg* pMsg) {
   if (pMsg != NULL && pMsg->contLen >= TRANS_MSG_LIMIT) {
     return true;
   }
@@ -3215,7 +3215,7 @@ _exception:
 }
 
 int32_t transSendRequest(void* pInstRef, const SEpSet* pEpSet, STransMsg* pReq, STransCtx* ctx) {
-  if (isReqExccedLimit(pReq)) {
+  if (isReqExceedLimit(pReq)) {
     return TSDB_CODE_RPC_MSG_EXCCED_LIMIT;
   }
 
@@ -3262,7 +3262,7 @@ int32_t transSendRequestWithId(void* pInstRef, const SEpSet* pEpSet, STransMsg*
   if (transpointId == NULL) {
     return TSDB_CODE_INVALID_PARA;
   }
-  if (isReqExccedLimit(pReq)) {
+  if (isReqExceedLimit(pReq)) {
     return TSDB_CODE_RPC_MSG_EXCCED_LIMIT;
   }
   int32_t code = 0;
@@ -3316,7 +3316,7 @@ _exception:
 }
 
 int32_t transSendRecv(void* pInstRef, const SEpSet* pEpSet, STransMsg* pReq, STransMsg* pRsp) {
-  if (isReqExccedLimit(pReq)) {
+  if (isReqExceedLimit(pReq)) {
     return TSDB_CODE_RPC_MSG_EXCCED_LIMIT;
   }
   STrans* pInst = (STrans*)transAcquireExHandle(transGetInstMgt(), (int64_t)pInstRef);