Actions
Bug #21338
closedThere is a big risk in function bufferlist::claim_prepend()
% Done:
0%
Source:
Community (user)
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(RADOS):
librados
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Recently i found a design flaw in the study of the bufferlist. There is a big risk if we call buffer::list::claim_prepend() after calling buffer::list::copy() or
buffer::list::splice() etc which change the last_p. The moment if we call buffer::list::copy() a core will be produced when the last.p is not point to ls.begin().
As shown in the picture in the annex.
Fortunately, there is no similar usage of claim_prepend() in our current code so don't have any problem.I think we can fix this hidden danger and give it more usage,
what do you think about it.
The steps of reproduceļ¼
#include <rados/librados.hpp>
#include <iostream>
#include <string>
int main(int argc, const char **argv)
{
int ret = 0;
std::string ptr1("ptr 1"); //5
std::string ptr2("ptr 22"); //6
std::string ptr3("ptr 333");//7
std::string ptr4("ptr 4444");//8
librados::bufferlist src_buf;
librados::bufferlist dest_buf;
librados::bufferlist b1;
b1.append(ptr1);
librados::bufferlist b2;
b2.append(ptr2);
librados::bufferlist b3;
b3.append(ptr3);
librados::bufferlist b4;
b4.append(ptr4);
src_buf.claim_append(b1);
src_buf.claim_append(b2);
src_buf.claim_append(b3);
std::cout << "src_buf is "<< src_buf <<std::endl;
src_buf.splice(0, 5);
std::cout << "src_buf is "<< src_buf <<std::endl;
std::cout << "claim_prepend to src_buf" << std::endl;
src_buf.claim_prepend(b4);
std::cout << "src_buf is "<< src_buf <<std::endl;
std::cout << "start copy to dest_buf" << std::endl;
src_buf.copy(0, src_buf.length(), dest_buf);
std::cout << "dest_buf is "<< dest_buf <<std::endl;
}
Files
Updated by Kefu Chai over 6 years ago
- Project changed from Ceph to RADOS
- Category changed from librados to Correctness/Safety
- Status changed from New to Fix Under Review
- Assignee set to Ivan Guan
- Target version deleted (
v10.2.10) - Component(RADOS) librados added
Updated by Kefu Chai over 6 years ago
- Status changed from Fix Under Review to Resolved
Actions