The C Client cause core dump when receive error data from Zookeeper Server --------------------------------------------------------------------------
Key: ZOOKEEPER-624 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-624 Project: Zookeeper Issue Type: Bug Components: c client Affects Versions: 3.2.0 Environment: Linux 2.6.9 x86_64 Reporter: Qian Ye I encountered a problem today that the Zookeeper C Client (version 3.2.0) core dump when reconnected and did some operations on the zookeeper server which just restarted. The gdb infomation is like: (gdb) bt #0 0x000000302af71900 in memcpy () from /lib64/tls/libc.so.6 #1 0x000000000047bfe4 in ia_deserialize_string (ia=Variable "ia" is not available.) at src/recordio.c:270 #2 0x000000000047ed20 in deserialize_CreateResponse (in=0x9cd870, tag=0x50a74e "reply", v=0x409ffe70) at generated/zookeeper.jute.c:679 #3 0x000000000047a1d0 in zookeeper_process (zh=0x9c8c70, events=Variable "events" is not available.) at src/zookeeper.c:1895 #4 0x00000000004815e6 in do_io (v=Variable "v" is not available.) at src/mt_adaptor.c:310 #5 0x000000302b80610a in start_thread () from /lib64/tls/libpthread.so.0 #6 0x000000302afc6003 in clone () from /lib64/tls/libc.so.6 #7 0x0000000000000000 in ?? () (gdb) f 1 #1 0x000000000047bfe4 in ia_deserialize_string (ia=Variable "ia" is not available.) at src/recordio.c:270 270 in src/recordio.c (gdb) info locals priv = (struct buff_struct *) 0x9cd8d0 len = -1 rc = Variable "rc" is not available. According to the source code, int ia_deserialize_string(struct iarchive *ia, const char *name, char **s) { struct buff_struct *priv = ia->priv; int32_t len; int rc = ia_deserialize_int(ia, "len", &len); if (rc < 0) return rc; if ((priv->len - priv->off) < len) { return -E2BIG; } *s = malloc(len+1); if (!*s) { return -ENOMEM; } memcpy(*s, priv->buffer+priv->off, len); (*s)[len] = '\0'; priv->off += len; return 0; } the variable len is set by ia_deserialize_int, and the returned len doesn't been checked, so the client segment fault when trying to memcpy -1 byte data. In the source file recordio.c, there are many functions which don't check the returned len. They all might cause segment fault in some kind of situations. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.