Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
2.2.17
-
None
Description
The prepared statement handling code uses an incorrect function to calculate whether the response is complete. The correct way is to calculate how many packets have been received in total.
The following was the ASAN report that revealed the problem.
=================================================================
|
==14315==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffc381eceaa at pc 0x7fde7bb5c4f7 bp 0x7ffc381ece70 sp 0x7ffc381ece60
|
READ of size 2 at 0x7ffc381eceaa thread T0
|
#0 0x7fde7bb5c4f6 in modutil_count_signal_packets /home/markusjm/MaxScale/server/core/modutil.cc:732
|
#1 0x7fde72cd8c59 in complete_ps_response /home/markusjm/MaxScale/server/modules/protocol/MySQL/mariadbbackend/mysql_backend.c:675
|
#2 0x7fde72cd9935 in gw_read_and_write /home/markusjm/MaxScale/server/modules/protocol/MySQL/mariadbbackend/mysql_backend.c:840
|
#3 0x7fde72cd783c in gw_read_backend_event /home/markusjm/MaxScale/server/modules/protocol/MySQL/mariadbbackend/mysql_backend.c:484
|
#4 0x7fde7bb16686 in dcb_process_poll_events /home/markusjm/MaxScale/server/core/dcb.cc:3070
|
#5 0x7fde7bb16df2 in dcb_handler /home/markusjm/MaxScale/server/core/dcb.cc:3155
|
#6 0x7fde7bb16f41 in dcb_poll_handler /home/markusjm/MaxScale/server/core/dcb.cc:3191
|
#7 0x7fde7bbe25d8 in maxscale::Worker::poll_waitevents() /home/markusjm/MaxScale/server/core/worker.cc:1212
|
#8 0x7fde7bbe0a6e in maxscale::Worker::run() /home/markusjm/MaxScale/server/core/worker.cc:892
|
#9 0x40d29c in main /home/markusjm/MaxScale/server/core/gateway.cc:2292
|
#10 0x7fde791c911a in __libc_start_main (/lib64/libc.so.6+0x2311a)
|
#11 0x405199 in _start (/home/markusjm/build-2.2/bin/maxscale+0x405199)
|
|
Address 0x7ffc381eceaa is located in stack of thread T0
|
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /home/markusjm/MaxScale/server/core/modutil.cc:732 in modutil_count_signal_packets
|
Shadow bytes around the buggy address:
|
0x100007035980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x100007035990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x1000070359a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x1000070359b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x1000070359c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x1000070359d0: ca ca ca ca 00[03]cb cb cb cb cb cb 00 00 00 00
|
0x1000070359e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x1000070359f0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f2 f2 f2
|
0x100007035a00: f2 f2 f2 f2 00 01 f2 f2 00 00 00 00 00 00 00 00
|
0x100007035a10: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 01 f2
|
0x100007035a20: f2 f2 f2 f2 f2 f2 00 04 f2 f2 f3 f3 f3 f3 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==14315==ABORTING
|