Rust time crate CVE and general bugs (#155)

* compiling with time=0.3.17 but not clear if working properly yet

* remove time package in favor of std::time and chrono

* rust formatting cleanup

Author: jmwample

Cargo.toml

@@ -21,7 +21,7 @@ serde_derive = "^1.0.0"
 lazycell = "^0.5"
 libc = "~0.2"
 aes-gcm = "0.8.0"
-time = "0.1.*"
+chrono = "0.4.23"
 pnet = "0.31.0"
 arrayref = "0.3.2"
 log = "0.3.6"

src/flow_tracker.rs

@@ -1,5 +1,5 @@
 use std::collections::{HashSet, VecDeque};
-use time::precise_time_ns;
+use util::precise_time_ns;
 
 use pnet::packet::tcp::TcpPacket;
 use pnet::packet::udp::UdpPacket;
@@ -171,7 +171,7 @@ impl FlowNoSrcPort {
 
 pub struct SchedEvent {
     // Nanoseconds since an unspecified epoch (precise_time_ns()).
-    drop_time: u64,
+    drop_time: u128,
     flow: Flow,
 }
 
@@ -191,7 +191,7 @@ pub struct FlowTracker {
 }
 
 // Amount of time that we timeout all flows
-const TIMEOUT_TRACKED_NS: u64 = 30 * 1000 * 1000 * 1000;
+const TIMEOUT_TRACKED_NS: u128 = 30 * 1000 * 1000 * 1000;
 //const FIN_TIMEOUT_NS: u64 = 2*1000*1000*1000;
 
 impl Default for FlowTracker {

src/lib.rs

@@ -5,11 +5,11 @@ extern crate libc;
 #[macro_use]
 extern crate log;
 extern crate aes_gcm;
+extern crate chrono;
 extern crate errno;
 extern crate hex;
 extern crate pnet;
 extern crate rand;
-extern crate time;
 
 extern crate protobuf;
 extern crate redis;
@@ -20,7 +20,7 @@ extern crate tuntap; // https://github.com/ewust/tuntap.rs
 extern crate zmq;
 
 use std::mem::transmute;
-use time::precise_time_ns;
+use util::precise_time_ns;
 
 use serde_derive::Deserialize;
 use std::env;
@@ -93,7 +93,7 @@ pub struct PerCoreStats {
     // For computing measurement duration (because period won't be exactly 1
     // sec). Value is nanoseconds since an unspecified epoch. (It's a time,
     // not a duration).
-    last_measure_time: u64,
+    last_measure_time: u128,
 
     pub not_in_tree_this_period: u64,
     pub in_tree_this_period: u64,

src/logging.rs

@@ -1,6 +1,7 @@
+extern crate chrono;
 extern crate log;
-extern crate time;
 
+use chrono::Local;
 use log::{LogLevel, LogMetadata, LogRecord};
 
 pub struct SimpleLogger {
@@ -22,9 +23,10 @@ impl log::Log for SimpleLogger {
                     && !s.starts_with("tick_to")
                     && !s.starts_with("ticking"))
             {
-                let t = time::now();
+                let t = Local::now();
+                // let t = time::OffsetDateTime::now_local().unwrap();
                 // unwrap relies on "%b %d, %Y %T" being a valid format string.
-                let t_s = time::strftime("%Y-%m-%d %H:%M:%S.%f %z", &t).unwrap();
+                let t_s = t.format("%Y-%m-%d %H:%M:%S.%f %z").to_string();
                 println!("{} (Core {}) {}: {}", t_s, self.lcore_id, record.level(), s);
             }
         }

src/sessions.rs

@@ -46,16 +46,16 @@ use std::sync::{Arc, RwLock};
 use std::thread;
 
 use redis;
-use time::precise_time_ns;
+use util::precise_time_ns;
 
 use flow_tracker::{FlowNoSrcPort, FLOW_CLIENT_LOG};
 use protobuf::Message;
 use signalling::StationToDetector;
 
-const S2NS: u64 = 1000 * 1000 * 1000;
+const S2NS: u128 = 1000 * 1000 * 1000;
 // time to add beyond original timeout if a session is still receiving packets
 // that need to be forwarded to the data plane proxying logic. (300 s = 5 mins)
-const TIMEOUT_PHANTOMS_NS: u64 = 300 * S2NS;
+const TIMEOUT_PHANTOMS_NS: u128 = 300 * S2NS;
 
 // We _can_ filter by phantom port if we so choose, and randomize the port that
 // the clients connect to. However we are currently using exclusively port 443.
@@ -93,13 +93,13 @@ pub struct SessionDetails {
     pub client_ip: IpAddr,
     pub phantom_ip: IpAddr,
     pub phantom_port: u16,
-    timeout: u64,
+    timeout: u128,
 }
 
 impl SessionDetails {
     // This function parses acceptable Session Details and returns an error if
     // the details provided do not fit current requirements for parsing
-    pub fn new(client_ip: &str, phantom_ip: &str, timeout: u64) -> SessionResult {
+    pub fn new(client_ip: &str, phantom_ip: &str, timeout: u128) -> SessionResult {
         let phantom: IpAddr = match phantom_ip.parse() {
             Ok(ip) => ip,
             Err(_) => return Err(SessionError::InvalidPhantom),
@@ -141,7 +141,7 @@ impl From<&StationToDetector> for SessionResult {
     fn from(s2d: &StationToDetector) -> Self {
         let source = s2d.get_client_ip();
         let phantom = s2d.get_phantom_ip();
-        SessionDetails::new(source, phantom, s2d.get_timeout_ns())
+        SessionDetails::new(source, phantom, u128::from(s2d.get_timeout_ns()))
     }
 }
 
@@ -173,7 +173,7 @@ pub struct SessionTracker {
     // Note: In the future phantom port can be optionally added to the key
     // string to further filter incoming connections. This is left off for now
     // to allow for testing of source-refraction.
-    pub tracked_sessions: Arc<RwLock<HashMap<String, u64>>>,
+    pub tracked_sessions: Arc<RwLock<HashMap<String, u128>>>,
 }
 
 impl Default for SessionTracker {
@@ -253,7 +253,7 @@ impl SessionTracker {
         self.try_update_session_timeout(key, TIMEOUT_PHANTOMS_NS);
     }
 
-    fn try_update_session_timeout(&mut self, key: String, extra_time: u64) {
+    fn try_update_session_timeout(&mut self, key: String, extra_time: u128) {
         // Get writable map
         let mut mmap = self.tracked_sessions.write().expect("RwLock broken");
 
@@ -313,7 +313,7 @@ impl SessionTracker {
 }
 
 // No returns in this function so that it runs for the lifetime of the process.
-fn ingest_from_pubsub(map: Arc<RwLock<HashMap<String, u64>>>) {
+fn ingest_from_pubsub(map: Arc<RwLock<HashMap<String, u128>>>) {
     let mut con = get_redis_conn();
     let mut pubsub = con.as_pubsub();
     pubsub
@@ -400,6 +400,8 @@ mod tests {
     use signalling::StationToDetector;
     use std::{thread, time};
 
+    const S2NS_U64: u64 = 1000 * 1000 * 1000;
+
     #[test]
     #[ignore] // Requires redis to run properly.
     fn test_session_tracker_pubsub() {
@@ -411,18 +413,18 @@ mod tests {
         // redis::cmd("PUBLISH").arg("dark_decoy_map").arg(octs).execute(&self.redis_conn);
         let st = SessionTracker::new();
 
-        let test_tuples = [
+        let test_tuples: [(&str, &str, u64); 8] = [
             // (client_ip, phantom_ip, timeout)
             ("172.128.0.2", "8.0.0.1", 1), // timeout immediately
-            ("192.168.0.1", "10.10.0.1", 5 * S2NS),
-            ("192.168.0.1", "192.0.0.127", 5 * S2NS),
-            ("", "2345::6789", 5 * S2NS),
+            ("192.168.0.1", "10.10.0.1", 5 * S2NS_U64),
+            ("192.168.0.1", "192.0.0.127", 5 * S2NS_U64),
+            ("", "2345::6789", 5 * S2NS_U64),
             // duplicate with shorter timeout should not drop
-            ("2601::123:abcd", "2001::1234", 5 * S2NS),
-            ("::1", "2001::1234", S2NS),
+            ("2601::123:abcd", "2001::1234", 5 * S2NS_U64),
+            ("::1", "2001::1234", S2NS_U64),
             // duplicate with long timeout should prevent drop
             ("7.0.0.2", "8.8.8.8", 1),
-            ("7.0.0.2", "8.8.8.8", 5 * S2NS),
+            ("7.0.0.2", "8.8.8.8", 5 * S2NS_U64),
         ];
 
         st.spawn_update_thread();
@@ -500,7 +502,7 @@ mod tests {
             };
             // assert_eq!(entry.0, sd.client_ip.to_string());
             assert_eq!(entry.1, sd.phantom_ip.to_string());
-            assert_eq!(entry.2, sd.timeout)
+            assert_eq!(u128::from(entry.2), sd.timeout)
         }
 
         for entry in &test_tuples_bad {
@@ -574,19 +576,19 @@ mod tests {
         let test_tuples = [
             // (client_ip, phantom_ip, timeout)
             ("172.128.0.2", "8.0.0.1", 1, false), // timeout immediately
-            ("192.168.0.1", "10.10.0.1", 5 * S2NS, true),
-            ("192.168.0.1", "192.0.0.127", 5 * S2NS, true),
+            ("192.168.0.1", "10.10.0.1", 5 * S2NS_U64, true),
+            ("192.168.0.1", "192.0.0.127", 5 * S2NS_U64, true),
             // client registering with v4 will also create registrations for v6 just in-case
-            ("192.168.0.1", "2801::1234", 5 * S2NS, true),
+            ("192.168.0.1", "2801::1234", 5 * S2NS_U64, true),
             // duplicate with shorter timeout should not drop
-            ("2601::123:abcd", "2001::1234", 5 * S2NS, true),
-            ("::1", "2001::1234", S2NS, true),
+            ("2601::123:abcd", "2001::1234", 5 * S2NS_U64, true),
+            ("::1", "2001::1234", S2NS_U64, true),
             // duplicate with long timeout should prevent drop
             ("7.0.0.2", "8.8.8.8", 1, true),
-            ("7.0.0.2", "8.8.8.8", 5 * S2NS, true),
+            ("7.0.0.2", "8.8.8.8", 5 * S2NS_U64, true),
         ];
         for entry in &test_tuples {
-            let s1 = SessionDetails::new(entry.0, entry.1, entry.2).unwrap();
+            let s1 = SessionDetails::new(entry.0, entry.1, u128::from(entry.2)).unwrap();
             st.insert_session(s1);
         }
 

src/util.rs

@@ -8,6 +8,7 @@ use std::error::Error;
 use std::fs::File;
 use std::io::prelude::*;
 use std::io::BufReader;
+use std::time::SystemTime;
 
 use pnet::packet::ipv4::Ipv4Packet;
 use pnet::packet::ipv6::Ipv6Packet;
@@ -250,6 +251,13 @@ impl FSP {
     }
 }
 
+pub fn precise_time_ns() -> u128 {
+    let duration_since_epoch = SystemTime::now()
+        .duration_since(SystemTime::UNIX_EPOCH)
+        .unwrap();
+    duration_since_epoch.as_nanos()
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;