From eea748b14fc3f4d0b1c7c2d99f17e6de9bd3dba9 Mon Sep 17 00:00:00 2001 From: Clayton Coleman Date: Tue, 10 May 2016 18:53:07 -0400 Subject: [PATCH] Add a defensive sanity check to protobuf marshal This prevents programmer error from resulting in objects serialized to the wire that are incorrectly designed. The normal path guards against this, but the runtime.Unknown NestedMarshalTo fast path (which avoids an allocation) doesn't have the same defensive guard. --- pkg/runtime/types_proto.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkg/runtime/types_proto.go b/pkg/runtime/types_proto.go index 4bb4d8ec805..142dd05daaa 100644 --- a/pkg/runtime/types_proto.go +++ b/pkg/runtime/types_proto.go @@ -16,6 +16,10 @@ limitations under the License. package runtime +import ( + "fmt" +) + type ProtobufMarshaller interface { MarshalTo(data []byte) (int, error) } @@ -44,6 +48,11 @@ func (m *Unknown) NestedMarshalTo(data []byte, b ProtobufMarshaller, size uint64 if err != nil { return 0, err } + if uint64(n2) != size { + // programmer error: the Size() method for protobuf does not match the results of MarshalTo, which means the proto + // struct returned would be wrong. + return 0, fmt.Errorf("the Size() value of %T was %d, but NestedMarshalTo wrote %d bytes to data", b, size, n2) + } i += n2 }