Ceph » rgw

The function gen_rand_alphanumeric() tries to read some randomness from /dev/urandom and converts it into a string. The read operation may fail (e.g. with "Too many open files") and there will be a negative error code returned.

int gen_rand_alphanumeric(CephContext *cct, char *dest, int size) /* size should be the required string size + 1 */
{
  int ret = get_random_bytes(dest, size);
  if (ret < 0) {
    lderr(cct) << "cannot get random bytes: " << cpp_strerror(-ret) << dendl;
    return ret;                  
  }
...
}

The consuming function append_rand_alpha() however does not check the return code, it uses the uninitialized char buf and appends that to the result string.

static inline void append_rand_alpha(CephContext *cct, const string& src, string& dest, int len)
{
  dest = src;
  char buf[len + 1];
  gen_rand_alphanumeric(cct, buf, len);
  dest.append("_");
  dest.append(buf);
}

As a result, when this happens while an object is being copied, we see its tag and prefix fields containing garbage instead of the expected 24 character string. In particular the prefix field seems to always contain ".P_" now, leading to collisions for tail object names and in the long run to data loss, as a second objects tail objects will now overwrite those of the first object.

Originally found in v0.94.10 but the code looks still the same in master.