[CONC-458] mysql_get_timeout_value crashes when used improperly Created: 2020-03-04  Updated: 2020-03-05  Resolved: 2020-03-05

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: 3.1.6
Fix Version/s: 3.1.8

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Georg Richter
Resolution: Fixed Votes: 0
Labels: None

Attachments: File test_get_timeout_value.c    

 Description   

The KB says the following about mysql_get_timeout_value:

This should only be called when a _start() or _cont() function returns a value with the MYSQL_WAIT_TIMEOUT flag set. In this case, it returns the value, in seconds, after which a timeout has occured and the application should call the appropriate _cont() function passing MYSQL_WAIT_TIMEOUT as the event that occured.

This is used to handle connection and read timeouts.

https://mariadb.com/kb/en/non-blocking-api-reference/

However, if this function is used improperly, then it crashes.

I have attached a simple test program.

First, create a user account:

CREATE USER 'list_processes_test'@'localhost' IDENTIFIED BY 'test';
 
GRANT ALL PRIVILEGES ON *.* TO 'list_processes_test'@'localhost';

And then compile it:

$ gcc -ggdb $(mariadb_config --include --libs) ./test_get_timeout_value.c

And then run it via gdb:

$ gdb ./a.out
 
...
 
(gdb) run

It crashes with a segmentation fault with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
 
0x00007ffff7ba20ef in mysql_get_timeout_value (mysql=0x623a70) at /usr/src/debug/MariaDB-10.4.11-5/src_0/libmariadb/libmariadb/mariadb_lib.c:1749
 
1749      unsigned int timeout= mysql->options.extension->async_context->timeout_value;
 
Missing separate debuginfos, use: debuginfo-install glibc-2.17-292.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-34.el7.x86_64 libcom_err-1.42.9-13.el7.x86_64 libselinux-2.5-14.1.el7.x86_64 openssl-libs-1.0.2k-16.el7_6.1.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-18.el7.x86_64
 
(gdb) bt
 
#0  0x00007ffff7ba20ef in mysql_get_timeout_value (mysql=0x623a70) at /usr/src/debug/MariaDB-10.4.11-5/src_0/libmariadb/libmariadb/mariadb_lib.c:1749
 
#1  0x00000000004008a2 in main (argc=1, argv=0x7fffffffe558) at ./test_get_timeout_value.c:17

The crash happens here:

https://github.com/mariadb-corporation/mariadb-connector-c/blob/v3.1.6/libmariadb/mariadb_lib.c#L1749

 Comments   
Comment by Georg Richter [ 2020-03-05 ]

Fixed in rev. d4f75481f6c78da41ddc50742ffb3b89cb572d24

Generated at Thu Feb 08 03:05:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.