Resend.
From: Yao Cheng LIANG
Sent: Wednesday, May 20, 2015 12:23 PM
To: 'A V Mahesh'; [email protected]
Cc: Yao Cheng LIANG
Subject: RE: kptnd process crash.
Dear all,
I found the bug in cpnd_proc_getnext_section. The ckptnd process will crash in
this circumstance:
1. Suppose there are two sections in a checkpoint, with section ID of
(int)1 and (int)255
2. Application calls GetNExtSection twice and reaches sections with
sections ID of 255
3. Another Application inserts a section with section ID of(int) 256.
Because we are using memcmp as below in cpnd_sec.cc:
struct ltSectionIdT {
bool operator()(const SaCkptSectionIdT *s1, const SaCkptSectionIdT *s2) const
{
bool status(false);
if (s1->idLen < s2->idLen)
status = true;
else if (s1->idLen > s2->idLen)
status = false;
else
status = (memcmp(s1->id, s2->id, s1->idLen) < 0);
return status;
}
Section with ID of 256(0x0100) is inserted before section with ID of
255(0x00ff) because for 256 first byte is 00, for 255 first byte is oxFF.
};
4. Application calls GetNExtSection again. Now there are three section
in the checkpoint, and in function cpnd_proc_getnext_section:
get_next->n_secs_trav = 2, cp_node->replica_info.n_secs = 3, so the function
will run the code below:
/* search the existing section id */
*n_secs_trav = get_next->n_secs_trav;
if (pSecPtr != NULL && *n_secs_trav != 0) {
pSecPtr = cpnd_ckpt_sec_get(cp_node,
&get_next->section_id); //[Ted]: This will get the sectionInfo of section 255
}
/* if next is NULL then return no more sections */
if (pSecPtr == NULL) {
TRACE_4("cpnd replica has no sections");
return NCSCC_RC_FAILURE;
}
/* get section descriptor with given filter */
if (*n_secs_trav == 0)
pTmpSecPtr = pSecPtr;
else
pTmpSecPtr = cpnd_ckpt_sec_get_next(&cp_node->replica_info,
pSecPtr); //[Ted] because section 255 is the last section in the map,
pTmpSecPtr will be NULL
switch (get_next->filter) { [Ted]: if get_next->filter is
“SA_CKPT_SECTIONS_ANY”, there is no check if pTmpSecPtr is NULL; There is check
for all other cases
case SA_CKPT_SECTIONS_ANY:
(*n_secs_trav)++;
break;
………
cpnd_proc_fill_sec_desc(pTmpSecPtr, sec_des); //[Ted]: because pTmpSecPtr
is NULL, call cpnd_proc_fill_sec_desc will cause ckptnd core dump
Thanks.
Ted
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensaf-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-users
