this is a bug with binlog_read_log_file reading a body when it should not. so reading the following record caused tube_namelen to get an invalid value
I have a patch to fix this on github http://github.com/gbarr/beanstalkd/commit/eb9d50f115e024530a66a22399bd8049892fd3a0 Graham. On Thu, Oct 15, 2009 at 7:27 AM, Philip Ross <[email protected]> wrote: > I'm using beanstalkd 1.4.1 and have found a reproducible scenario that > appears to write corrupt data to the binlog such that beanstalkd can't > restart. > > After starting beanstalkd with an empty binlog directory, I run the > following commands: > > C: use test > S: USING test > C: put 0 0 120 4 > C: test > S: INSERTED 1 > C: put 0 0 120 4 > C: tes1 > S: INSERTED 2 > C: watch test > S: WATCHING 2 > C: reserve > S: RESERVED 1 4 > S: test > C: release 1 0 120 > S: RELEASED > C: reserve > S: RESERVED 2 4 > S: tes1 > C: delete 2 > S: DELETED > C: quit > > I then kill beanstalkd with `killall beanstalkd` (which does a SIGTERM). > > On restarting, I get the following errors: > > $ /usr/local/beanstalkd-1.4.1/bin/beanstalkd -d -b /tmp/beanstalktest -p 22300 > : binlog.c:342 in binlog_open: Cannot open binlog /binlog.2: Permission denied > : binlog.c:545 in ensure_free_space: make_future_binlog > : binlog.c:736 in binlog_init: error making first writable binlog > Segmentation fault > > Note that it says 'Cannot open binlog /binlog.2' and not 'Cannot open > binlog /tmp/beanstalktest/binlog.2'. During the read, a buffer > overflow occurs reading a tubename from the binlog. This causes > binlog_dir to be overwritten with a '\0' and binlog_open then tries to > create a file in the root directory (which fails due to permissions). > > The buffer overflow occurs reading into tubename in > binlog_read_log_file. The length of tubename (namelen) is read from > the binlog, but isn't checked to see if it is less than the size of > tubename. > > The attached patch checks namelen and sets it to 0 if it is >= > MAX_TUBE_NAME_LEN. > > With this patch applied, beanstalkd starts up successfully, but I am > still able to reserve the job that was deleted and the data for the > released job is missing (so something still isn't quite right): > > C: watch test > S: WATCHING 2 > C: reserve > S: RESERVED 1 4 > C: delete 1 > S: DELETED > C: reserve > S: RESERVED 2 4 > S: tes1 > C: delete 2 > S: DELETED > > I'll continue to do some investigation into this, but it'd be much > appreciated if anyone could give me some pointers as to where to look. > > Thanks, > > Phil > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "beanstalk-talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/beanstalk-talk?hl=en -~----------~----~----~----~------~----~------~--~---
