[jira] Assigned: (ZOOKEEPER-624) The C Client cause core dump when receive error data from Zookeeper Server
[
https://issues.apache.org/jira/browse/ZOOKEEPER-624?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mahadev konar reassigned ZOOKEEPER-624:
---
Assignee: Mahadev konar (was: Benjamin Reed)
The C Client cause core dump when receive error data from Zookeeper Server
--
Key: ZOOKEEPER-624
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-624
Project: Zookeeper
Issue Type: Bug
Components: c client
Affects Versions: 3.2.0
Environment: Linux 2.6.9 x86_64
Reporter: Qian Ye
Assignee: Mahadev konar
Fix For: 3.3.0
I encountered a problem today that the Zookeeper C Client (version 3.2.0)
core dump when reconnected and did some operations on the zookeeper server
which just restarted. The gdb infomation is like:
(gdb) bt
#0 0x00302af71900 in memcpy () from /lib64/tls/libc.so.6
#1 0x0047bfe4 in ia_deserialize_string (ia=Variable ia is not
available.) at src/recordio.c:270
#2 0x0047ed20 in deserialize_CreateResponse (in=0x9cd870,
tag=0x50a74e reply, v=0x409ffe70) at generated/zookeeper.jute.c:679
#3 0x0047a1d0 in zookeeper_process (zh=0x9c8c70, events=Variable
events is not available.) at src/zookeeper.c:1895
#4 0x004815e6 in do_io (v=Variable v is not available.) at
src/mt_adaptor.c:310
#5 0x00302b80610a in start_thread () from /lib64/tls/libpthread.so.0
#6 0x00302afc6003 in clone () from /lib64/tls/libc.so.6
#7 0x in ?? ()
(gdb) f 1
#1 0x0047bfe4 in ia_deserialize_string (ia=Variable ia is not
available.) at src/recordio.c:270
270 in src/recordio.c
(gdb) info locals
priv = (struct buff_struct *) 0x9cd8d0
len = -1
rc = Variable rc is not available.
According to the source code,
int ia_deserialize_string(struct iarchive *ia, const char *name, char **s)
{
struct buff_struct *priv = ia-priv;
int32_t len;
int rc = ia_deserialize_int(ia, len, len);
if (rc 0)
return rc;
if ((priv-len - priv-off) len) {
return -E2BIG;
}
*s = malloc(len+1);
if (!*s) {
return -ENOMEM;
}
memcpy(*s, priv-buffer+priv-off, len);
(*s)[len] = '\0';
priv-off += len;
return 0;
}
the variable len is set by ia_deserialize_int, and the returned len doesn't
been checked, so the client segment fault when trying to memcpy -1 byte data.
In the source file recordio.c, there are many functions which don't check the
returned len. They all might cause segment fault in some kind of situations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (ZOOKEEPER-624) The C Client cause core dump when receive error data from Zookeeper Server
[
https://issues.apache.org/jira/browse/ZOOKEEPER-624?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Patrick Hunt reassigned ZOOKEEPER-624:
--
Assignee: Benjamin Reed
Ben, can you have a look at this one as well?
The C Client cause core dump when receive error data from Zookeeper Server
--
Key: ZOOKEEPER-624
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-624
Project: Zookeeper
Issue Type: Bug
Components: c client
Affects Versions: 3.2.0
Environment: Linux 2.6.9 x86_64
Reporter: Qian Ye
Assignee: Benjamin Reed
Fix For: 3.3.0
I encountered a problem today that the Zookeeper C Client (version 3.2.0)
core dump when reconnected and did some operations on the zookeeper server
which just restarted. The gdb infomation is like:
(gdb) bt
#0 0x00302af71900 in memcpy () from /lib64/tls/libc.so.6
#1 0x0047bfe4 in ia_deserialize_string (ia=Variable ia is not
available.) at src/recordio.c:270
#2 0x0047ed20 in deserialize_CreateResponse (in=0x9cd870,
tag=0x50a74e reply, v=0x409ffe70) at generated/zookeeper.jute.c:679
#3 0x0047a1d0 in zookeeper_process (zh=0x9c8c70, events=Variable
events is not available.) at src/zookeeper.c:1895
#4 0x004815e6 in do_io (v=Variable v is not available.) at
src/mt_adaptor.c:310
#5 0x00302b80610a in start_thread () from /lib64/tls/libpthread.so.0
#6 0x00302afc6003 in clone () from /lib64/tls/libc.so.6
#7 0x in ?? ()
(gdb) f 1
#1 0x0047bfe4 in ia_deserialize_string (ia=Variable ia is not
available.) at src/recordio.c:270
270 in src/recordio.c
(gdb) info locals
priv = (struct buff_struct *) 0x9cd8d0
len = -1
rc = Variable rc is not available.
According to the source code,
int ia_deserialize_string(struct iarchive *ia, const char *name, char **s)
{
struct buff_struct *priv = ia-priv;
int32_t len;
int rc = ia_deserialize_int(ia, len, len);
if (rc 0)
return rc;
if ((priv-len - priv-off) len) {
return -E2BIG;
}
*s = malloc(len+1);
if (!*s) {
return -ENOMEM;
}
memcpy(*s, priv-buffer+priv-off, len);
(*s)[len] = '\0';
priv-off += len;
return 0;
}
the variable len is set by ia_deserialize_int, and the returned len doesn't
been checked, so the client segment fault when trying to memcpy -1 byte data.
In the source file recordio.c, there are many functions which don't check the
returned len. They all might cause segment fault in some kind of situations.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
