Address code review feedback - fix race condition, add size_t validation, improve tests

Co-authored-by: johndoe6345789 <224850594+johndoe6345789@users.noreply.github.com>
2026-04-26 23:04:57 +00:00 · 2025-12-25 08:34:14 +00:00
parent be863235a1
commit b7008427f9
2 changed files with 20 additions and 7 deletions
--- a/dbal/cpp/src/daemon/server.cpp
+++ b/dbal/cpp/src/daemon/server.cpp
@@ -275,14 +275,15 @@ private:
            }
            
            // Check connection limit to prevent thread exhaustion DoS
-            if (active_connections_.load() >= MAX_CONCURRENT_CONNECTIONS) {
+            // Use atomic fetch_add to avoid race condition
+            size_t prev_count = active_connections_.fetch_add(1);
+            if (prev_count >= MAX_CONCURRENT_CONNECTIONS) {
                std::cerr << "Connection limit reached, rejecting connection" << std::endl;
+                active_connections_--;
                CLOSE_SOCKET(client_fd);
                continue;
            }
            
-            active_connections_++;
-            
            // Handle connection in a new thread
            std::thread(&Server::handleConnection, this, client_fd).detach();
        }
@@ -486,6 +487,13 @@ private:
                            error_response.body = R"({"error":"Content-Length too large"})";
                            return false;
                        }
+                        // Validate fits in size_t (platform dependent)
+                        if (cl > std::numeric_limits<size_t>::max()) {
+                            error_response.status_code = 413;
+                            error_response.status_text = "Request Entity Too Large";
+                            error_response.body = R"({"error":"Content-Length exceeds platform limit"})";
+                            return false;
+                        }
                        content_length = static_cast<size_t>(cl);
                    } catch (...) {
                        error_response.status_code = 400;
--- a/dbal/cpp/tests/security/http_server_security_test.cpp
+++ b/dbal/cpp/tests/security/http_server_security_test.cpp
@@ -225,7 +225,8 @@ public:
        std::string part1 = "GET /api/status HTTP/1.1\r\n";
        send(sock, part1.c_str(), part1.length(), 0);
        
-        std::this_thread::sleep_for(std::chrono::seconds(5));
+        // Wait 2 seconds (reduced for faster tests)
+        std::this_thread::sleep_for(std::chrono::seconds(2));
        
        std::string part2 = "Host: localhost\r\n";
        int result = send(sock, part2.c_str(), part2.length(), 0);
@@ -293,10 +294,14 @@ public:
        if (bytes > 0) {
            buffer[bytes] = '\0';
            std::string response(buffer);
-            // Should not expose filesystem
+            // Should get 400 Bad Request for null byte
+            bool rejected = response.find("400") != std::string::npos || 
+                           response.find("Bad Request") != std::string::npos;
+            // Also verify no sensitive content exposed
            bool safe = response.find("passwd") == std::string::npos;
-            std::cout << "  " << (safe ? "PASS: Safe" : "FAIL: Vulnerable") << std::endl;
-            return safe;
+            bool pass = rejected && safe;
+            std::cout << "  " << (pass ? "PASS: Null byte rejected" : "FAIL: Vulnerable") << std::endl;
+            return pass;
        }
        
        return false;