fix: guard non-string JSON type fields before strcmp in C API driver#165
Open
ramakrishnap-nv wants to merge 1 commit into
Open
fix: guard non-string JSON type fields before strcmp in C API driver#165ramakrishnap-nv wants to merge 1 commit into
ramakrishnap-nv wants to merge 1 commit into
Conversation
parse_cuopt_json() read variable_types[] and the constraint_bounds.types[] fallback via cJSON valuestring and passed the result straight to strcmp(). cJSON sets valuestring to NULL for non-string nodes (numbers, bools, null, arrays, objects), so a non-string element produced strcmp(NULL, ...), which dereferences a NULL pointer and crashes (SIGSEGV; UBSan nonnull violation) on untrusted cuOpt-JSON input. Guard both sinks with cJSON_IsString() plus a NULL check before each strcmp, falling back to the default (CONTINUOUS variable / unconstrained row) for non-string entries. Verified under ASan/UBSan: both a number-valued variable_types element and a number-valued constraint_bounds.types element crashed before the fix and parse cleanly after. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Ramakrishna Prabhu <ramakrishnap@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
parse_cuopt_json()inbenchmark_apis/c_api_driver/cuopt_json_to_c_api.cread JSON arrayelements via cJSON's
valuestringand passed them straight tostrcmp(). cJSON setsvaluestringtoNULLfor non-string nodes (numbers, bools,null, arrays, objects), so anon-string element produced
strcmp(NULL, ...)— a NULL-pointer dereference that crashes thedriver (SIGSEGV; UBSan nonnull violation) on untrusted cuOpt-JSON input.
Two sinks were affected:
variable_types[]parsing loop (strcmp(type_str, "I"))constraint_bounds.types[]fallback (strcmp(type, "L"|"G"|"E"))Fix
Guard both sinks with
cJSON_IsString()+ aNULLcheck before eachstrcmp, falling back tothe existing default (CONTINUOUS variable / unconstrained row) for non-string entries. This
matches the
cJSON_IsString(...) ? ... : NULLpattern already used inparse_numeric_value().Reproducer
{ "csr_constraint_matrix": {"offsets": [0, 1], "indices": [0], "values": [1.0]}, "objective_data": {"coefficients": [1.0], "offset": 0.0}, "variable_bounds": {"lower_bounds": [0.0], "upper_bounds": [0.0]}, "maximize": false, "variable_types": [123] }A non-string
constraint_bounds.typeselement (e.g."types": [123]) triggers the same crashon the
G/Ebranches.Verification
Built the translation unit under ASan + UBSan (real parser, stubbed solver). Both a
number-valued
variable_typeselement and a number-valuedconstraint_bounds.typeselementcrashed with a SEGV in
strcmpbefore the fix and parse cleanly after.Found via fuzzing; robustness / availability hardening (not a production solver path).
🤖 Generated with Claude Code