Large rows cannot be read if packet_size exceeds max buffer size

Bug #643772 reported by David Mikulec
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Drizzle
Fix Released
Low
Andrew Hutchings
7.0
Fix Released
Low
Andrew Hutchings
Drizzle Client & Protocol Library
Won't Fix
Undecided
Unassigned

Bug Description

In rev 147, there was a bug fix for bug #571579 - I am not able to view that bug report, but I assume it outlines a problem which we were also seeing (i.e. potential access of uninitialized memory from con->buffer_ptr). It appears though that there is a new bug introduced by that fix. For large rows, the amount of data in the packet may exceed the max size of our read buffer. In the following code, if our buffer is already full, but still we have not read con->packet_size worth of data, we will go to drizzle_state_read and attempt to read 0 bytes, which will return 0 and thus disconnect us.

drizzle_return_t drizzle_state_row_read(drizzle_con_st *con)
{
  drizzle_log_debug(con->drizzle, "drizzle_state_row_read");

  if (con->packet_size != 0 && con->buffer_size < con->packet_size)
  {
    drizzle_state_push(con, drizzle_state_read);
    return DRIZZLE_RETURN_OK;
  }

I believe the fix is to change the if statement above to read:

if (con->packet_size != 0 && con->buffer_size < con->packet_size && con->buffer_size < 5)

We only need up to 5 bytes of data for the purposes of drizzle_state_row_read, so this change would ensure we have enough to avoid any invalid memory accesses in this function, but leave the handling of large responses to other functions which are prepared to handle that.

Related branches

Revision history for this message
Evan Jones (evanj) wrote :

I was running into this problem, and this fixed it for me. I don't like that the number 5 is hard coded in here, but it works for me for the moment. Would it be helpful to put this fix in a bzr branch?

Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

This looks like it is already fixed in the libdrizzle inside the Drizzle trunk but I will take a look.

Changed in drizzle:
assignee: nobody → Andrew Hutchings (linuxjedi)
importance: Undecided → Low
milestone: none → 2010-11-08
status: New → Triaged
Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

I'm wrong with that comment, we seem to be a few revs behind.

Changed in drizzle:
status: Triaged → Fix Committed
milestone: 2010-11-08 → 2010-10-25
Changed in libdrizzle:
status: New → Won't Fix
Revision history for this message
Andrew Hutchings (linuxjedi) wrote :

This fix also fixes problems which caused rev.147 to be removed when merging libdrizzle->drizzle. So drizzle now has rev.147 and the fix supplied by David.

Changed in drizzle:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers