From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 18 Mar 2019 20:01:48 +0300 From: Vladimir Davydov Subject: Re: [PATCH] xrow: fix request_str crash on long requests Message-ID: <20190318170148.hfxwkm6agzadrvfo@esperanza> References: <234177c19ce6bdc86ba64555f02f8fb76e3768a0.1552927469.git.vdavydov.dev@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <234177c19ce6bdc86ba64555f02f8fb76e3768a0.1552927469.git.vdavydov.dev@gmail.com> To: tarantool-patches@freelists.org List-ID: On Mon, Mar 18, 2019 at 07:45:29PM +0300, Vladimir Davydov wrote: > If tt_static_buf is too small to store the request string, 'pos' will > become greater than 'end', leading to snprintf(pos, end - pos) crash, as > it doesn't allow the buffer size to be negative. Use SNPRINT instead. > --- > https://github.com/tarantool/tarantool/tree/dv/fix-request-str-crash-on-long-requests > > src/box/xrow.c | 33 ++++++++++++++++++++------------- > test/box-tap/cfg.test.lua | 21 ++++++++++++++++++++- > 2 files changed, 40 insertions(+), 14 deletions(-) > > diff --git a/src/box/xrow.c b/src/box/xrow.c > index bddae1d5..4a0632fe 100644 > --- a/src/box/xrow.c > +++ b/src/box/xrow.c > @@ -675,13 +675,11 @@ done: > return 0; > } > > -const char * > -request_str(const struct request *request) > +static int > +request_snprint(char *buf, int size, const struct request *request) > { > - char *buf = tt_static_buf(); > - char *end = buf + TT_STATIC_BUF_LEN; > - char *pos = buf; > - pos += snprintf(pos, end - pos, "{type: '%s', " > + int total = 0; > + SNPRINT(total, snprintf, buf, size, "{type: '%s', " > "replica_id: %u, lsn: %lld, " > "space_id: %u, index_id: %u", > iproto_type_name(request->type), > @@ -690,18 +688,27 @@ request_str(const struct request *request) > (unsigned) request->space_id, > (unsigned) request->index_id); > if (request->key != NULL) { > - pos += snprintf(pos, end - pos, ", key: "); > - pos += mp_snprint(pos, end - pos, request->key); > + SNPRINT(total, snprintf, buf, size, ", key:"); Oops, skipped ' '. > + SNPRINT(total, mp_snprint, buf, size, request->key); > } > if (request->tuple != NULL) { > - pos += snprintf(pos, end - pos, ", tuple: "); > - pos += mp_snprint(pos, end - pos, request->tuple); > + SNPRINT(total, snprintf, buf, size, ", tuple"); Lost the colon (:), sorry. Amended on the branch. > + SNPRINT(total, mp_snprint, buf, size, request->tuple); > } > if (request->ops != NULL) { > - pos += snprintf(pos, end - pos, ", ops: "); > - pos += mp_snprint(pos, end - pos, request->ops); > + SNPRINT(total, snprintf, buf, size, ", ops: "); > + SNPRINT(total, mp_snprint, buf, size, request->ops); > } > - pos += snprintf(pos, end - pos, "}"); > + SNPRINT(total, snprintf, buf, size, "}"); > + return total; > +} > + > +const char * > +request_str(const struct request *request) > +{ > + char *buf = tt_static_buf(); > + if (request_snprint(buf, TT_STATIC_BUF_LEN, request) < 0) > + return ""; > return buf; > }