Project

General

Profile

Bug #21338

There is a big risk in function bufferlist::claim_prepend()

Added by Ivan Guan almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Correctness/Safety
Target version:
-
Start date:
09/11/2017
Due date:
% Done:

0%

Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
librados
Pull request ID:

Description

Recently i found a design flaw in the study of the bufferlist. There is a big risk if we call buffer::list::claim_prepend() after calling buffer::list::copy() or
buffer::list::splice() etc which change the last_p. The moment if we call buffer::list::copy() a core will be produced when the last.p is not point to ls.begin().

As shown in the picture in the annex.

Fortunately, there is no similar usage of claim_prepend() in our current code so don't have any problem.I think we can fix this hidden danger and give it more usage,
what do you think about it.

The steps of reproduceļ¼š

#include <rados/librados.hpp>
#include <iostream>
#include <string>

int main(int argc, const char **argv)
{
  int ret = 0;

  std::string ptr1("ptr 1");  //5
  std::string ptr2("ptr 22"); //6
  std::string ptr3("ptr 333");//7
  std::string ptr4("ptr 4444");//8

  librados::bufferlist src_buf;
  librados::bufferlist dest_buf;

  librados::bufferlist b1;
  b1.append(ptr1);
  librados::bufferlist b2;
  b2.append(ptr2);
  librados::bufferlist b3;
  b3.append(ptr3);
  librados::bufferlist b4;
  b4.append(ptr4);

  src_buf.claim_append(b1);
  src_buf.claim_append(b2);
  src_buf.claim_append(b3);

  std::cout << "src_buf is "<< src_buf <<std::endl;

  src_buf.splice(0, 5);
  std::cout << "src_buf is "<< src_buf <<std::endl;

  std::cout << "claim_prepend  to src_buf" << std::endl;
  src_buf.claim_prepend(b4);
  std::cout << "src_buf is "<< src_buf <<std::endl;

  std::cout << "start copy to dest_buf" << std::endl;
  src_buf.copy(0, src_buf.length(), dest_buf);

  std::cout << "dest_buf is "<< dest_buf <<std::endl;
}

claim_prepend.png View (37.9 KB) Ivan Guan, 09/11/2017 06:57 AM

History

#1 Updated by Kefu Chai almost 2 years ago

  • Project changed from Ceph to RADOS
  • Category changed from librados to Correctness/Safety
  • Status changed from New to Need Review
  • Assignee set to Ivan Guan
  • Target version deleted (v10.2.10)
  • Component(RADOS) librados added

#2 Updated by Kefu Chai almost 2 years ago

  • Status changed from Need Review to Resolved

Also available in: Atom PDF