Actions
Bug #4594
closednull character in object name triggers segfault
% Done:
90%
Spent time:
Source:
Q/A
Tags:
Backport:
Regression:
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Parsing \n in lfn_parse_object_name is implemented with
out->append('\0');
which segfaults when using libstdc++ and g++ version 4.6.3 on Debian
GNU/Linux.
The problem can be reproduced with a single file containing
main() { std::string s; s.append('\0'); }
When compiled and run with
g++ -o a a.cc ; valgrind --tool=memcheck ./a
it outputs the following:
==7446== Invalid read of size 1 ==7446== at 0x40293A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7446== by 0x4AE2C7B: std::string::append(char const*) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17) ==7446== by 0x400769: main (in /tmp/a) ==7446== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==7446== Process terminating with default action of signal 11 (SIGSEGV) ==7446== Access not within mapped region at address 0x0 ==7446== at 0x40293A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7446== by 0x4AE2C7B: std::string::append(char const*) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17)
Updated by Loïc Dachary about 11 years ago
- File INCITS ISO IEC 14882-2012.pdf added
- File cpp98.pdf added
There is no append(charT) method in C++98 or C++11, which means it relies on an implicit conversion that is bugous. It would be better to rely on the basic_string& operator+=(charT c); method as defined in ISO 14882-1998 (page 385) thru ISO 14882-2012 (page 640)
Updated by Loïc Dachary about 11 years ago
- Due date changed from 03/30/2013 to 03/31/2013
- Status changed from In Progress to Resolved
Updated by Patrick McGarry almost 7 years ago
- File deleted (
INCITS ISO IEC 14882-2012.pdf)
Actions