Drizzle

Merge lp:~dshrews/drizzle/bug616941 into lp:~drizzle-trunk/drizzle/development

  1. bug616941
  2. Merge into development
Proposed by David Shrewsbury
Status: Merged
Approved by: Brian Aker
Approved revision: 1765
Merged at revision: 1768
Proposed branch: lp:~dshrews/drizzle/bug616941
Merge into: lp:~drizzle-trunk/drizzle/development
Diff against target: 65 lines (+24/-0)
1 file modified
plugin/transaction_log/print_transaction_message.cc (+24/-0)
To merge this branch: bzr merge lp:~dshrews/drizzle/bug616941
Reviewer Review Type Date Requested Status
Drizzle Merge Team Pending
Review via email: mp+35558@code.launchpad.net

Description of the change

Fix for server crash when an invalid transaction message offset is given to PRINT_TRANSACTION_MESSAGE function. Added validation for the message type and length.

Also eliminates some possible memory leaks (error paths were not cleaning up properly).

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'plugin/transaction_log/print_transaction_message.cc'
2--- plugin/transaction_log/print_transaction_message.cc 2010-08-17 15:33:10 +0000
3+++ plugin/transaction_log/print_transaction_message.cc 2010-09-15 17:03:45 +0000
4@@ -43,6 +43,7 @@
5 #include "print_transaction_message.h"
6
7 #include <drizzled/message/transaction.pb.h>
8+#include <drizzled/replication_services.h>
9 #include <google/protobuf/io/zero_copy_stream.h>
10 #include <google/protobuf/io/zero_copy_stream_impl.h>
11 #include <google/protobuf/io/coded_stream.h>
12@@ -120,6 +121,7 @@
13 uint32_t message_type;
14 if (! coded_input->ReadLittleEndian32(&message_type))
15 {
16+ delete coded_input;
17 delete file_input;
18
19 /** @todo Error message for this... */
20@@ -127,9 +129,20 @@
21 return NULL;
22 }
23
24+ /* Validate message type */
25+ if (message_type != ReplicationServices::TRANSACTION)
26+ {
27+ fprintf(stderr, _("GPB message is not a valid type.\n"));
28+ delete coded_input;
29+ delete file_input;
30+ null_value= true;
31+ return NULL;
32+ }
33+
34 uint32_t message_size;
35 if (! coded_input->ReadLittleEndian32(&message_size))
36 {
37+ delete coded_input;
38 delete file_input;
39
40 /** @todo Error message for this... */
41@@ -137,6 +150,15 @@
42 return NULL;
43 }
44
45+ if (message_size > INT_MAX)
46+ {
47+ fprintf(stderr, _("GPB message is not a valid size.\n"));
48+ delete coded_input;
49+ delete file_input;
50+ null_value= true;
51+ return NULL;
52+ }
53+
54 uint8_t *buffer= (uint8_t *) malloc(message_size);
55
56 bool result= coded_input->ReadRaw(buffer, message_size);
57@@ -164,6 +186,8 @@
58
59 if (str->alloc(transaction_text.length()))
60 {
61+ delete coded_input;
62+ delete file_input;
63 null_value= true;
64 return NULL;
65 }