The GitHub Actions job "Lint" on tvm.git/main has failed. Run started by GitHub user tlopex (triggered by tlopex).
Head commit for run: a7463e9b2da4bed070db2938caaed9ca030b49a6 / Bl4ckSku11 <[email protected]> [RPC][Tracker] Bound msg_size to MAX_TRACKER_MSG_BYTES to prevent unbounded buffer growth (#19586) Fixes #<issue-number>. Reads of `_msg_size` from the tracker socket are now bounded to `MAX_TRACKER_MSG_BYTES = 1 MiB`, and the 4-byte size header is consumed at read time. Without these checks, a single TCP connection from a peer can grow the tracker process buffer until OOM, and a wire size of 0 starves the parser without ever freeing the bytes. Per the TVM security model the tracker is deployed on trusted networks, so this is filed as a robustness defect, not a security advisory. Apache security team triage (private thread, 2026-05-17) confirmed this is the right channel. ### Test Added regression test in tests/python/contrib/test_rpc_tracker.py that completes the magic handshake, sends an oversized msg_size header (0x7FFFFFFF), and asserts the tracker closes the connection. ### Changes - python/tvm/rpc/tracker.py: bound `_msg_size` to (0, MAX_TRACKER_MSG_BYTES], consume size header on read. - tests/python/contrib/test_rpc_tracker.py: regression test. Report URL: https://github.com/apache/tvm/actions/runs/26351489055 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
