[jira] Assigned: (ZOOKEEPER-624) The C Client cause core dump when receive error data from Zookeeper Server
[ https://issues.apache.org/jira/browse/ZOOKEEPER-624?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mahadev konar reassigned ZOOKEEPER-624: --- Assignee: Mahadev konar (was: Benjamin Reed) > The C Client cause core dump when receive error data from Zookeeper Server > -- > > Key: ZOOKEEPER-624 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-624 > Project: Zookeeper > Issue Type: Bug > Components: c client >Affects Versions: 3.2.0 > Environment: Linux 2.6.9 x86_64 >Reporter: Qian Ye >Assignee: Mahadev konar > Fix For: 3.3.0 > > > I encountered a problem today that the Zookeeper C Client (version 3.2.0) > core dump when reconnected and did some operations on the zookeeper server > which just restarted. The gdb infomation is like: > (gdb) bt > #0 0x00302af71900 in memcpy () from /lib64/tls/libc.so.6 > #1 0x0047bfe4 in ia_deserialize_string (ia=Variable "ia" is not > available.) at src/recordio.c:270 > #2 0x0047ed20 in deserialize_CreateResponse (in=0x9cd870, > tag=0x50a74e "reply", v=0x409ffe70) at generated/zookeeper.jute.c:679 > #3 0x0047a1d0 in zookeeper_process (zh=0x9c8c70, events=Variable > "events" is not available.) at src/zookeeper.c:1895 > #4 0x004815e6 in do_io (v=Variable "v" is not available.) at > src/mt_adaptor.c:310 > #5 0x00302b80610a in start_thread () from /lib64/tls/libpthread.so.0 > #6 0x00302afc6003 in clone () from /lib64/tls/libc.so.6 > #7 0x in ?? () > (gdb) f 1 > #1 0x0047bfe4 in ia_deserialize_string (ia=Variable "ia" is not > available.) at src/recordio.c:270 > 270 in src/recordio.c > (gdb) info locals > priv = (struct buff_struct *) 0x9cd8d0 > len = -1 > rc = Variable "rc" is not available. > According to the source code, > int ia_deserialize_string(struct iarchive *ia, const char *name, char **s) > { > struct buff_struct *priv = ia->priv; > int32_t len; > int rc = ia_deserialize_int(ia, "len", &len); > if (rc < 0) > return rc; > if ((priv->len - priv->off) < len) { > return -E2BIG; > } > *s = malloc(len+1); > if (!*s) { > return -ENOMEM; > } > memcpy(*s, priv->buffer+priv->off, len); > (*s)[len] = '\0'; > priv->off += len; > return 0; > } > the variable len is set by ia_deserialize_int, and the returned len doesn't > been checked, so the client segment fault when trying to memcpy -1 byte data. > In the source file recordio.c, there are many functions which don't check the > returned len. They all might cause segment fault in some kind of situations. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Assigned: (ZOOKEEPER-624) The C Client cause core dump when receive error data from Zookeeper Server
[ https://issues.apache.org/jira/browse/ZOOKEEPER-624?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Patrick Hunt reassigned ZOOKEEPER-624: -- Assignee: Benjamin Reed Ben, can you have a look at this one as well? > The C Client cause core dump when receive error data from Zookeeper Server > -- > > Key: ZOOKEEPER-624 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-624 > Project: Zookeeper > Issue Type: Bug > Components: c client >Affects Versions: 3.2.0 > Environment: Linux 2.6.9 x86_64 >Reporter: Qian Ye >Assignee: Benjamin Reed > Fix For: 3.3.0 > > > I encountered a problem today that the Zookeeper C Client (version 3.2.0) > core dump when reconnected and did some operations on the zookeeper server > which just restarted. The gdb infomation is like: > (gdb) bt > #0 0x00302af71900 in memcpy () from /lib64/tls/libc.so.6 > #1 0x0047bfe4 in ia_deserialize_string (ia=Variable "ia" is not > available.) at src/recordio.c:270 > #2 0x0047ed20 in deserialize_CreateResponse (in=0x9cd870, > tag=0x50a74e "reply", v=0x409ffe70) at generated/zookeeper.jute.c:679 > #3 0x0047a1d0 in zookeeper_process (zh=0x9c8c70, events=Variable > "events" is not available.) at src/zookeeper.c:1895 > #4 0x004815e6 in do_io (v=Variable "v" is not available.) at > src/mt_adaptor.c:310 > #5 0x00302b80610a in start_thread () from /lib64/tls/libpthread.so.0 > #6 0x00302afc6003 in clone () from /lib64/tls/libc.so.6 > #7 0x in ?? () > (gdb) f 1 > #1 0x0047bfe4 in ia_deserialize_string (ia=Variable "ia" is not > available.) at src/recordio.c:270 > 270 in src/recordio.c > (gdb) info locals > priv = (struct buff_struct *) 0x9cd8d0 > len = -1 > rc = Variable "rc" is not available. > According to the source code, > int ia_deserialize_string(struct iarchive *ia, const char *name, char **s) > { > struct buff_struct *priv = ia->priv; > int32_t len; > int rc = ia_deserialize_int(ia, "len", &len); > if (rc < 0) > return rc; > if ((priv->len - priv->off) < len) { > return -E2BIG; > } > *s = malloc(len+1); > if (!*s) { > return -ENOMEM; > } > memcpy(*s, priv->buffer+priv->off, len); > (*s)[len] = '\0'; > priv->off += len; > return 0; > } > the variable len is set by ia_deserialize_int, and the returned len doesn't > been checked, so the client segment fault when trying to memcpy -1 byte data. > In the source file recordio.c, there are many functions which don't check the > returned len. They all might cause segment fault in some kind of situations. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.