When creating our own "owned and local" protobuf message in `StartProtobufMessage`, `m_FakeEngineBuffer` is used to track that message. In `EndMessage` the message is optionally converted to a "private" one with the right abi on osx and passed to the engine's `SendUserMessage`. On linux and windows the same message as in the `m_FakeEngineBuffer` is passed though without conversion. `engine->SendUserMessage` has a vtable hook which sets `m_FakeEngineBuffer` to the passed argument.
`m_FakeEngineBuffer` frees the message it previously held, since it's "owned" from `StartProtobufMessage`, but that's the same one that's passed in as argument so a use-after-free in the engine happens when the now-freed message pointer is forwarded to the real `SendUserMessage` in the engine.
The message created in `StartProtobufMessage` wasn't free'd at all when hooks are blocked too. This fix moves the message buffer into a local variable which is destroyed at the end of the function.
Fixes#1286 and #1296
On SDKs which use protobufs, the engine has objects compiled against a specific
version of protobuf. Normally this is fine, we take care on Linux to use the
same C++ ABI. On macOS however, we use libc++ to enable C++11 functionality,
whereas the protobuf library has been compiled with libstc++. These ABIs are
not compatible.
To address the problem, we introduce PbHandle. PbHandle is a wrapper around
protobuf::Message with two added pieces of state: whether or not the handle
"owns" the message (and can free it in its destructor), and whether or not
the handle was created by the engine (private) or created by SourceMod
(local).
Whenever we transfer a protobuf::Message pointer to SourceMod, we must take
care to convert it to a Local version first. Whenever we transfer a protobuf
pointer to the engine, we must convert it to a Private handle.
For platforms with no ABI differences (almost all of them), the handle is a
no-op. The private and local localities are compatible and no translation
takes place.
On macOS, CS:GO does require translation. SourceMod loads a tiny shim
library that contains a copy of the protobuf sources compiled against the
game's ABI. It then provides serialization and deserialization methods.
SourceMod must not interact with the game's protobuf objects without first
going through this proxy library.
Note that PbHandle is not quite like unique_ptr. It can be converted into a
PbHandle that does not destroy the underlying object. This is mainly because
UserMessages.cpp has rather complex state, so it is useful to track locality
without destroying an object. An unowned PbHandle must not outlive the
owning PbHandle.
It turns out this was already enabled on MSVC (due to /EHsc), but let's
enable it on other platforms as well.
Exception handling comes with a huge caveat: SourceMod and SourcePawn
are not exception safe. Not only do they predate usable STL (C++11),
they often predate C++03, and sometimes even C++ itself. There are many
places we do not use RAII, or where we accumulate state in a way that
cannot be interrupted.
By enabling exceptions, we are NOT inviting general try/catch. We are
still assuming that a `throw` anywhere within SourceMod will ultimately
result in a crash.
However, as we enable more and more STL, we are losing the ability to
gracefully handle constructor failures and malloc failures. So try-catch
is now enabled. It should only be used in the narrowest of
circumstances:
- When an exception can be thrown by a library call, and
- There is no way "a priori" to tell if an exception will be thrown
(for example, std::bad_alloc or std::system_error), and
- Handling the exception is meaningful.
Generally malloc failures should not be considered meaningful. Once
memory is exhausted, the program will crash or be OOM-killed, so there's
no point in handling the failure. However, cases where the allocation
amount is variable may be meaningful to handle. A simple example would
be CDataPack, where if a plugin leaks entries, it's better to handle
this gracefully given that vector growth is geometric. Another example
might be reads of a massive file or network request into a buffer.
These cases should be rare, given that memory pressure is usually
fatal to srcds anyway. But if you've decided to handle an exception,
the try-catch block should be as narrow as possible. For example,
the following is erroneous:
ke::Maybe<SomeGiganticThing> object;
try {
object.init();
} catch (const std::bad_alloc&) {
}
`ke::Maybe` is not threadsafe, and this can leak. Basically, do as
little as possible in try blocks, and use them sparingly, because
they're very difficult to audit.
We are also not inviting use of `throw`, as auditing it is even more
complex than try/catch. It is better to abort(), or use boolean
returns and two-stage object initialization.