From: Vladimir Davydov <vdavydov.dev@gmail.com>
To: tarantool-patches@freelists.org
Subject: Re: [PATCH] xrow: fix request_str crash on long requests
Date: Mon, 18 Mar 2019 20:01:48 +0300 [thread overview]
Message-ID: <20190318170148.hfxwkm6agzadrvfo@esperanza> (raw)
In-Reply-To: <234177c19ce6bdc86ba64555f02f8fb76e3768a0.1552927469.git.vdavydov.dev@gmail.com>
On Mon, Mar 18, 2019 at 07:45:29PM +0300, Vladimir Davydov wrote:
> If tt_static_buf is too small to store the request string, 'pos' will
> become greater than 'end', leading to snprintf(pos, end - pos) crash, as
> it doesn't allow the buffer size to be negative. Use SNPRINT instead.
> ---
> https://github.com/tarantool/tarantool/tree/dv/fix-request-str-crash-on-long-requests
>
> src/box/xrow.c | 33 ++++++++++++++++++++-------------
> test/box-tap/cfg.test.lua | 21 ++++++++++++++++++++-
> 2 files changed, 40 insertions(+), 14 deletions(-)
>
> diff --git a/src/box/xrow.c b/src/box/xrow.c
> index bddae1d5..4a0632fe 100644
> --- a/src/box/xrow.c
> +++ b/src/box/xrow.c
> @@ -675,13 +675,11 @@ done:
> return 0;
> }
>
> -const char *
> -request_str(const struct request *request)
> +static int
> +request_snprint(char *buf, int size, const struct request *request)
> {
> - char *buf = tt_static_buf();
> - char *end = buf + TT_STATIC_BUF_LEN;
> - char *pos = buf;
> - pos += snprintf(pos, end - pos, "{type: '%s', "
> + int total = 0;
> + SNPRINT(total, snprintf, buf, size, "{type: '%s', "
> "replica_id: %u, lsn: %lld, "
> "space_id: %u, index_id: %u",
> iproto_type_name(request->type),
> @@ -690,18 +688,27 @@ request_str(const struct request *request)
> (unsigned) request->space_id,
> (unsigned) request->index_id);
> if (request->key != NULL) {
> - pos += snprintf(pos, end - pos, ", key: ");
> - pos += mp_snprint(pos, end - pos, request->key);
> + SNPRINT(total, snprintf, buf, size, ", key:");
Oops, skipped ' '.
> + SNPRINT(total, mp_snprint, buf, size, request->key);
> }
> if (request->tuple != NULL) {
> - pos += snprintf(pos, end - pos, ", tuple: ");
> - pos += mp_snprint(pos, end - pos, request->tuple);
> + SNPRINT(total, snprintf, buf, size, ", tuple");
Lost the colon (:), sorry.
Amended on the branch.
> + SNPRINT(total, mp_snprint, buf, size, request->tuple);
> }
> if (request->ops != NULL) {
> - pos += snprintf(pos, end - pos, ", ops: ");
> - pos += mp_snprint(pos, end - pos, request->ops);
> + SNPRINT(total, snprintf, buf, size, ", ops: ");
> + SNPRINT(total, mp_snprint, buf, size, request->ops);
> }
> - pos += snprintf(pos, end - pos, "}");
> + SNPRINT(total, snprintf, buf, size, "}");
> + return total;
> +}
> +
> +const char *
> +request_str(const struct request *request)
> +{
> + char *buf = tt_static_buf();
> + if (request_snprint(buf, TT_STATIC_BUF_LEN, request) < 0)
> + return "<failed to format request>";
> return buf;
> }
next prev parent reply other threads:[~2019-03-18 17:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-18 16:45 Vladimir Davydov
2019-03-18 17:01 ` Vladimir Davydov [this message]
2019-03-18 17:53 ` Vladimir Davydov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190318170148.hfxwkm6agzadrvfo@esperanza \
--to=vdavydov.dev@gmail.com \
--cc=tarantool-patches@freelists.org \
--subject='Re: [PATCH] xrow: fix request_str crash on long requests' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox