[jira] [Commented] (ZOOKEEPER-2186) QuorumCnxManager#receiveConnection may crash with random input

Mon, 11 May 2015 11:00:36 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14538294#comment-14538294
 ] 

ASF GitHub Bot commented on ZOOKEEPER-2186:
-------------------------------------------

GitHub user rgs1 opened a pull request:

    https://github.com/apache/zookeeper/pull/30

    ZOOKEEPER-2186: QuorumCnxManager#receiveConnection may crash with ran…

    …dom input

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/rgs1/zookeeper ZOOKEEPER-2186

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/30.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #30
    
----
commit ff9cdc570fb4c84acf3c8b0c64875b5e54d82523
Author: Raul Gutierrez S <[email protected]>
Date:   2015-05-11T17:48:47Z

    ZOOKEEPER-2186: QuorumCnxManager#receiveConnection may crash with random 
input

----


> QuorumCnxManager#receiveConnection may crash with random input
> --------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2186
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2186
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.4.6, 3.5.0
>            Reporter: Raul Gutierrez Segales
>            Assignee: Raul Gutierrez Segales
>             Fix For: 3.4.7, 3.5.1, 3.6.0
>
>         Attachments: ZOOKEEPER-2186.patch
>
>
> This will allocate an arbitrarily large byte buffer (and try to read it!):
> {code}
>     public boolean receiveConnection(Socket sock) {
>         Long sid = null;
> ...
>                 sid = din.readLong();
>                 // next comes the #bytes in the remainder of the message      
>                                                                        
>                 int num_remaining_bytes = din.readInt();
>                 byte[] b = new byte[num_remaining_bytes];
>                 // remove the remainder of the message from din               
>                                                                        
>                 int num_read = din.read(b);
> {code}
> This will crash the QuorumCnxManager thread, so the cluster will keep going 
> but future elections might fail to converge (ditto for leaving/joining 
> members). 
> Patch coming up in a bit.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to