recv_parse_log_rec violates its contract re. incomplete recs for MLOG_CHECKPOINT

Bug #1484599 reported by Laurynas Biveinis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.1
Invalid
Undecided
Unassigned
5.5
Invalid
Undecided
Unassigned
5.6
Invalid
Undecided
Unassigned
5.7
Fix Released
Medium
Unassigned

Bug Description

Copy of

[13 Aug 16:21] Laurynas Biveinis
Description:
recv_parse_log_rec is documented as follows:

** Tries to parse a single log record.
...
@param[in] ptr pointer to a buffer
@param[in] end_ptr end of the buffer
...
@return length of the record, or 0 if the record was not complete */

The record is complete if its length <= end_ptr - ptr, in which case length is returned, otherwise the record is incomplete and zero is returned. This is true for all the record types except for MLOG_CHECKPOINT, for which SIZE_OF_MLOG_CHECKPOINT is returned regardless of end_ptr - ptr. Then the caller handles the incomplete record case itself. This could be a problem for patches that reuse recv_parse_log_rec for something else.

A uniform incomplete record handling regardless of the record type would be cleaner.

This state of things could be a result of MLOG_CHECKPOINT being one-byte record originally, and handled as other one byte records in this function.

How to repeat:
Code analysis.

Suggested fix:
@@ -2338,7 +2349,8 @@ recv_parse_log_rec(
                return(1);
        case MLOG_CHECKPOINT:
                *type = static_cast<mlog_id_t>(*ptr);
- return(SIZE_OF_MLOG_CHECKPOINT);
+ return ((end_ptr - ptr < SIZE_OF_MLOG_CHECKPOINT)
+ ? 0 : SIZE_OF_MLOG_CHECKPOINT);
        case MLOG_MULTI_REC_END | MLOG_SINGLE_REC_FLAG:
        case MLOG_DUMMY_RECORD | MLOG_SINGLE_REC_FLAG:
        case MLOG_CHECKPOINT | MLOG_SINGLE_REC_FLAG:
@@ -2563,9 +2575,6 @@ loop:
                        /* Do nothing */
                        break;
                case MLOG_CHECKPOINT:
- if (end_ptr < ptr + SIZE_OF_MLOG_CHECKPOINT) {
- return(false);
- }
 #if SIZE_OF_MLOG_CHECKPOINT != 1 + 8
 # error SIZE_OF_MLOG_CHECKPOINT != 1 + 8
 #endif

tags: added: upstream
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Upstream fix in 5.7.9. Since there will be no PS release with version less than 5.7.9, there is little point in tracking this bug.

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3301

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.