recv_parse_log_rec violates its contract re. incomplete recs for MLOG_CHECKPOINT
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
MySQL Server |
Unknown
|
Unknown
|
||||
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.1 |
Invalid
|
Undecided
|
Unassigned | |||
5.5 |
Invalid
|
Undecided
|
Unassigned | |||
5.6 |
Invalid
|
Undecided
|
Unassigned | |||
5.7 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Copy of
[13 Aug 16:21] Laurynas Biveinis
Description:
recv_parse_log_rec is documented as follows:
** Tries to parse a single log record.
...
@param[in] ptr pointer to a buffer
@param[in] end_ptr end of the buffer
...
@return length of the record, or 0 if the record was not complete */
The record is complete if its length <= end_ptr - ptr, in which case length is returned, otherwise the record is incomplete and zero is returned. This is true for all the record types except for MLOG_CHECKPOINT, for which SIZE_OF_
A uniform incomplete record handling regardless of the record type would be cleaner.
This state of things could be a result of MLOG_CHECKPOINT being one-byte record originally, and handled as other one byte records in this function.
How to repeat:
Code analysis.
Suggested fix:
@@ -2338,7 +2349,8 @@ recv_parse_log_rec(
case MLOG_CHECKPOINT:
- return(
+ return ((end_ptr - ptr < SIZE_OF_
+ ? 0 : SIZE_OF_
case MLOG_MULTI_REC_END | MLOG_SINGLE_
case MLOG_DUMMY_RECORD | MLOG_SINGLE_
case MLOG_CHECKPOINT | MLOG_SINGLE_
@@ -2563,9 +2575,6 @@ loop:
- if (end_ptr < ptr + SIZE_OF_
- return(false);
- }
#if SIZE_OF_
# error SIZE_OF_
#endif
tags: | added: upstream |
Upstream fix in 5.7.9. Since there will be no PS release with version less than 5.7.9, there is little point in tracking this bug.