Project

General

Profile

Bug #4594

null character in object name triggers segfault

Added by Loic Dachary over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
common
Target version:
-
Start date:
03/30/2013
Due date:
03/31/2013
% Done:

90%

Spent time:
Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

work in progress

Parsing \n in lfn_parse_object_name is implemented with

out->append('\0');

which segfaults when using libstdc++ and g++ version 4.6.3 on Debian
GNU/Linux.

The problem can be reproduced with a single file containing

main() { std::string s; s.append('\0'); }

When compiled and run with

g++ -o a a.cc ; valgrind --tool=memcheck ./a

it outputs the following:

                                                                                                           
==7446== Invalid read of size 1                                                                              
==7446==    at 0x40293A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)                    
==7446==    by 0x4AE2C7B: std::string::append(char const*) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17)
==7446==    by 0x400769: main (in /tmp/a)                                                                    
==7446==  Address 0x0 is not stack'd, malloc'd or (recently) free'd                                          
==7446== Process terminating with default action of signal 11 (SIGSEGV)                                      
==7446==  Access not within mapped region at address 0x0                                                     
==7446==    at 0x40293A2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)                    
==7446==    by 0x4AE2C7B: std::string::append(char const*) (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17)

Related issues

Blocks Ceph - Bug #4597: nspace is ignored by LFNIndex::lfn_parse_object_name Resolved 03/30/2013

Associated revisions

Revision c344ff17 (diff)
Added by Loic Dachary over 6 years ago

fix null character in object name triggering segfault

Parsing \n in lfn_parse_object_name is implemented with

out->append('\0');

which segfaults when using libstdc++ and g++ version 4.6.3 on Debian
GNU/Linux. It is replaced with

(*out) += '\0';

to avoid the bugous implicit conversion. There is no append(charT)
method in C++98 or C++11, which means it relies on an implicit
conversion that is bugous. It would be better to rely on the
basic_string& operator+=(charT c); method as defined in ISO 14882-1998
(page 385) thru ISO 14882-2012 (page 640)

A set of tests is added to generate and parse object names. They need
access to the private function lfn_parse_object_name because there is
no convenient protected method to exercise it. The tests contain a
LFNIndex derived class, TestWrapLFNIndex which is made a friend of
LFNIndex to gain access to the private methods.

http://tracker.ceph.com/issues/4594 refs #4594

Signed-off-by: Loic Dachary <>

History

#1 Updated by Loic Dachary over 6 years ago

  • File INCITS ISO IEC 14882-2012.pdf added
  • File cpp98.pdf added

There is no append(charT) method in C++98 or C++11, which means it relies on an implicit conversion that is bugous. It would be better to rely on the basic_string& operator+=(charT c); method as defined in ISO 14882-1998 (page 385) thru ISO 14882-2012 (page 640)

#2 Updated by Loic Dachary over 6 years ago

  • Description updated (diff)

#3 Updated by Loic Dachary over 6 years ago

  • % Done changed from 0 to 90

#4 Updated by Loic Dachary over 6 years ago

  • Due date changed from 03/30/2013 to 03/31/2013
  • Status changed from In Progress to Resolved

#5 Updated by Patrick McGarry over 2 years ago

  • File deleted (cpp98.pdf)

#6 Updated by Patrick McGarry over 2 years ago

  • File deleted (INCITS ISO IEC 14882-2012.pdf)

Also available in: Atom PDF