[jira] Created: (ZOOKEEPER-624) The C Client cause core dump when receive error data from Zookeeper Server

Mon, 14 Dec 2009 19:18:44 -0800 

The C Client cause core dump when receive error data from Zookeeper Server
--------------------------------------------------------------------------

                 Key: ZOOKEEPER-624
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-624
             Project: Zookeeper
          Issue Type: Bug
          Components: c client
    Affects Versions: 3.2.0
         Environment: Linux 2.6.9 x86_64
            Reporter: Qian Ye


I encountered a problem today that the Zookeeper C Client (version 3.2.0) core 
dump when reconnected and did some operations on the zookeeper server which 
just restarted. The gdb infomation is like:

(gdb) bt
#0  0x000000302af71900 in memcpy () from /lib64/tls/libc.so.6
#1  0x000000000047bfe4 in ia_deserialize_string (ia=Variable "ia" is not 
available.) at src/recordio.c:270
#2  0x000000000047ed20 in deserialize_CreateResponse (in=0x9cd870, tag=0x50a74e 
"reply", v=0x409ffe70) at generated/zookeeper.jute.c:679
#3  0x000000000047a1d0 in zookeeper_process (zh=0x9c8c70, events=Variable 
"events" is not available.) at src/zookeeper.c:1895
#4  0x00000000004815e6 in do_io (v=Variable "v" is not available.) at 
src/mt_adaptor.c:310
#5  0x000000302b80610a in start_thread () from /lib64/tls/libpthread.so.0
#6  0x000000302afc6003 in clone () from /lib64/tls/libc.so.6
#7  0x0000000000000000 in ?? ()
(gdb) f 1
#1  0x000000000047bfe4 in ia_deserialize_string (ia=Variable "ia" is not 
available.) at src/recordio.c:270
270     in src/recordio.c
(gdb) info locals
priv = (struct buff_struct *) 0x9cd8d0
len = -1
rc = Variable "rc" is not available.

According to the source code,
int ia_deserialize_string(struct iarchive *ia, const char *name, char **s)
{
    struct buff_struct *priv = ia->priv;
    int32_t len;
    int rc = ia_deserialize_int(ia, "len", &len);
    if (rc < 0)
        return rc;
    if ((priv->len - priv->off) < len) {
        return -E2BIG;
    }
    *s = malloc(len+1);
    if (!*s) {
        return -ENOMEM;
    }
    memcpy(*s, priv->buffer+priv->off, len);
    (*s)[len] = '\0';
    priv->off += len;
    return 0;
}

the variable len is set by ia_deserialize_int, and the returned len doesn't 
been checked, so the client segment fault when trying to memcpy -1 byte data.
In the source file recordio.c, there are many functions which don't check the 
returned len. They all might cause segment fault in some kind of  situations.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to