What happens when mysql_fetch_rows() returns a valid pointer to free'd memory?
Is this a bug in the library or ??
To reproduce this I'm running freeradius with about 10 different background
test clients repeatively testing a login feature, at the same time running
a script that randomly sleeps between stop'ing and start'ing the database.
SuSE 7.3# rpm -qa | grep mysql
mysql-shared-3.23.44-5
mysql-client-3.23.44-5
The expectation is that mysql_fetch_row() should either return NULL, as the
documentation suggests, or a valid pointer to valid memory.
I had to run this with electric fence, btw, to catch this.
--
Todd Fries .. [EMAIL PROTECTED]
(last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $)
----- Forwarded message from "Todd T. Fries" <[EMAIL PROTECTED]> -----
Date: Wed, 21 Aug 2002 14:36:08 -0500
From: "Todd T. Fries" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Error: CHILD: exit on signal (11)
In-Reply-To: <[EMAIL PROTECTED]>
X-Operating-System: OpenBSD shadow.fries.net 3.1 GENERIC
X-tra-email: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
X-IM: toddfries@AIM, toddfries@Yahoo, 115268457@ICQ,
{toddfries,fr[1i]es}@*.irc.fries.net
Precedence: bulk
The code path this follows is ..
rlm_sql.c:static int rlm_sql_authorize(void *instance, REQUEST * request) {
[..]
ret = rlm_sql_fetch_row(sqlsocket, inst);
.... sql_mysql.c:int sql_fetch_row(SQLSOCK * sqlsocket, SQL_CONFIG *config) {
rlm_sql_mysql_sock *mysql_sock = sqlsocket->conn;
sqlsocket->row = mysql_fetch_row(mysql_sock->result);
if (sqlsocket->row == NULL) {
return sql_check_error(mysql_errno(mysql_sock->sock));
}
return 0;
}
....
if (ret) {
radlog(L_ERR, "rlm_sql_authorize: query failed");
return RLM_MODULE_FAIL;
}
row = sqlsocket->row;
if (row == NULL) {
radlog(L_ERR, "rlm_sql_authorize: no rows returned from query (no such
user)");
return RLM_MODULE_OK;
}
if (row[0] == NULL) {
radlog(L_ERR, "rlm_sql_authorize: row[0] returned NULL.");
return RLM_MODULE_OK;
}
if ((passwd_item = pairmake("User-Password",row[0],T_OP_SET)) != NULL)
pairadd(&request->config_items,passwd_item);
Now please help me understand if I'm understanding this right. It would
appear some kindof failure is happening in the mysql_fetch_row, and it is
instead of returning NULL, returning free'ed memory. At least my research
suggests it SHOULD return NULL on any failure or valid, allocated memory
on success ...
http://www.mysql.com/doc/en/mysql_fetch_row.html
On a side note, perhaps I should release the socket only when the access of
the 'row' pointer is done? Or perhaps the api should be altered (again) to
pass a pointer array into fetch_row so that the socket can be released without
the potential for over-writing prior results?
--
Todd Fries .. [EMAIL PROTECTED]
(last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $)
Penned by Todd T. Fries on Wed, Aug 21, 2002 at 01:54:34PM -0500, we have:
| ..more..
|
| (gdb) bt full
| #0 rlm_sql_authorize (instance=0x42735fd0, request=0x42a5bf74)
| at rlm_sql.c:492
| check_tmp = (VALUE_PAIR *) 0x0
| reply_tmp = (VALUE_PAIR *) 0x0
| passwd_item = (VALUE_PAIR *) 0x42a81034
| found = 1
| sqlsocket = (SQLSOCK *) 0x427d1fe8
| row = 0x42a81034
| querystr = "SELECT Value,Attribute FROM radcheck WHERE UserName = 'toddtest'
|AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR Attribute =
|'Crypt-Password' ) ORDER BY Attribute DESC\000ergroup.GroupName"...
| ret = 0
| sqlusername = "toddtest", '\000' <repeats 509 times>
| #1 0x080569f0 in call_modsingle (component=1, sp=0x42729fcc,
| request=0x42a5bf74, default_result=6) at modcall.c:211
| component = 1
| sp = (modsingle *) 0x42729fcc
| request = (REQUEST *) 0x42a5bf74
| myresult = 1118158708
| #2 0x08056b68 in modcall (component=1, c=0x42729fcc, request=0x42a5bf74)
| at modcall.c:315
| sp = (modsingle *) 0x42a81034
| c = (modcallable *) 0x42729fcc
| ---Type <return> to continue, or q <return> to quit---q
| Quit
| (gdb) print row
| $1 = 0x42a81034
| (gdb) print *row
| $2 = 0x42a81040 "XKgM9N6tR3Xw2"
| (gdb) print row[0]
| $3 = 0x42a81040 "XKgM9N6tR3Xw2"
| (gdb)
|
| --
| Todd Fries .. [EMAIL PROTECTED]
|
| (last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $)
|
| Penned by Alan DeKok on Mon, Aug 19, 2002 at 02:42:19PM -0400, we have:
| | "Todd T. Fries" <[EMAIL PROTECTED]> wrote:
| | > It seems to happen when the database is doing a hot-backup and is
| | > unresponsive/slow for a few (10-15) minutes.
| |
| | If authorization depends on that database, and it goes down for
| | 10-15 minutes, then there's not much point in running the server
| | during that time.
| |
| | If the MySQL server really does disappear during backups, I'd
| | suggest doing something else to keep the RADIUS alive...
| |
| |
| | > Mon Aug 19 00:16:47 2002 : Error: rlm_sql: There are no DB handles to use!
| | > Mon Aug 19 00:17:37 2002 : Error: CHILD: exit on signal (11)
| |
| | Hmm.. that's an unchecked de-referencing of a NULL pointer
| | somewhere. Without more information, it's hard to know where.
| |
| | Alan DeKok.
| |
| | -
| | List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
|
| -
| List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----- End forwarded message -----
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
