[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8313) crash in mdb_rebalance(): uninited cursor flags

Full_Name: Hallvard B Furuseth
Version: mdb.master, 355f64ad07537a4f21dc6fe4cef66324316aa84b
OS: Linux x86_64
URL: ftp://ftp.openldap.org/incoming/Hallvard-Furuseth-151118-2.c
Submission from: (NULL) (
Submitted by: hallvard

The test program can crash dereferencing mp==NULL at
mdb_cursor_del0() line 8244 "nkeys = NUMKEYS(mp);"

Apparently because mdb_rebalance() pushes cursor 'dummy'
to mt_cursors[] without initializing mc_flags.
The test also uses pagesize 0x8000.

This prevents the crash.  Don't know if it's the right fix:

diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 6bd025d..8bbc54c 100644
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -8174,2 +8174,3 @@ mdb_rebalance(MDB_cursor *mc)
 			MDB_cursor dummy;
+			dummy.mc_flags = C_INITIALIZED;
 			oldki += NUMKEYS(mn.mc_pg[mn.mc_top]);

OTOH setting dummy.mc_flags = 0 keeps crashing.

To reproduce:
    gcc -O3 -pthread -I. Hallvard-Furuseth-151118-2.c
    mkdir testdb
    rm -f testdb/*; ./a.out -d -i100 -p32768 -r617974163
May need to repeat last line a few times.
Add option -v to see the Put/Del commands.