[PATCH] xrow: fix request_str crash on long requests
Vladimir Davydov
vdavydov.dev at gmail.com
Mon Mar 18 20:01:48 MSK 2019
On Mon, Mar 18, 2019 at 07:45:29PM +0300, Vladimir Davydov wrote:
> If tt_static_buf is too small to store the request string, 'pos' will
> become greater than 'end', leading to snprintf(pos, end - pos) crash, as
> it doesn't allow the buffer size to be negative. Use SNPRINT instead.
> ---
> https://github.com/tarantool/tarantool/tree/dv/fix-request-str-crash-on-long-requests
>
> src/box/xrow.c | 33 ++++++++++++++++++++-------------
> test/box-tap/cfg.test.lua | 21 ++++++++++++++++++++-
> 2 files changed, 40 insertions(+), 14 deletions(-)
>
> diff --git a/src/box/xrow.c b/src/box/xrow.c
> index bddae1d5..4a0632fe 100644
> --- a/src/box/xrow.c
> +++ b/src/box/xrow.c
> @@ -675,13 +675,11 @@ done:
> return 0;
> }
>
> -const char *
> -request_str(const struct request *request)
> +static int
> +request_snprint(char *buf, int size, const struct request *request)
> {
> - char *buf = tt_static_buf();
> - char *end = buf + TT_STATIC_BUF_LEN;
> - char *pos = buf;
> - pos += snprintf(pos, end - pos, "{type: '%s', "
> + int total = 0;
> + SNPRINT(total, snprintf, buf, size, "{type: '%s', "
> "replica_id: %u, lsn: %lld, "
> "space_id: %u, index_id: %u",
> iproto_type_name(request->type),
> @@ -690,18 +688,27 @@ request_str(const struct request *request)
> (unsigned) request->space_id,
> (unsigned) request->index_id);
> if (request->key != NULL) {
> - pos += snprintf(pos, end - pos, ", key: ");
> - pos += mp_snprint(pos, end - pos, request->key);
> + SNPRINT(total, snprintf, buf, size, ", key:");
Oops, skipped ' '.
> + SNPRINT(total, mp_snprint, buf, size, request->key);
> }
> if (request->tuple != NULL) {
> - pos += snprintf(pos, end - pos, ", tuple: ");
> - pos += mp_snprint(pos, end - pos, request->tuple);
> + SNPRINT(total, snprintf, buf, size, ", tuple");
Lost the colon (:), sorry.
Amended on the branch.
> + SNPRINT(total, mp_snprint, buf, size, request->tuple);
> }
> if (request->ops != NULL) {
> - pos += snprintf(pos, end - pos, ", ops: ");
> - pos += mp_snprint(pos, end - pos, request->ops);
> + SNPRINT(total, snprintf, buf, size, ", ops: ");
> + SNPRINT(total, mp_snprint, buf, size, request->ops);
> }
> - pos += snprintf(pos, end - pos, "}");
> + SNPRINT(total, snprintf, buf, size, "}");
> + return total;
> +}
> +
> +const char *
> +request_str(const struct request *request)
> +{
> + char *buf = tt_static_buf();
> + if (request_snprint(buf, TT_STATIC_BUF_LEN, request) < 0)
> + return "<failed to format request>";
> return buf;
> }
More information about the Tarantool-patches
mailing list