-
Type:
Bug
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: 1.5.3
-
Component/s: Internal Client
-
None
-
ALL
See http://github.com/mongodb/mongo/blob/master/client/dbclientcursor.cpp#L125
If qr->nReturned is zero, then qr->data() returns a pointer to uninitialized bytes, which is then passed to DBConnector::checkResponse at the above line. But the signature of DBConnector::checkResponse requires that this call convert its first argument to a temporary std::string: that requires a call to strlen on the provided pointer. In the case under discussion, that leads to a call to strlen on an uninitialized buffer.
Either line 125 should be changed to correctly handle the case where nReturned is zero, and not attempt to construct a temporary std::string in that case, or DBConnector::checkResponse should be changed to take a const char* first argument, and then correctly handle the case where its second argument is zero.
This shows up in valgrind like this:
==15773== Conditional jump or move depends on uninitialised value(s)
==15773== at 0x4C2AA39: __GI_strlen (mc_replace_strmem.c:284)
==15773== by 0x8978A3F: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.13)
==15773== by 0x9F834ED: mongo::DBClientCursor::dataReceived() (dbclientcursor.cpp:125)
==15773== by 0x9F82C8E: mongo::DBClientCursor::init() (dbclientcursor.cpp:54)
==15773== by 0x9F78057: mongo::DBClientBase::query(std::string const&, mongo::Query, int, int, mongo::BSONObj const*, int, int) (dbclient.cpp:530)
==15773== by 0x9F7D181: mongo::DBClientConnection::query(std::string const&, mongo::Query, int, int, mongo::BSONObj const*, int, int) (dbclient.h:704)
==15773== by 0x9F7728D: mongo::DBClientInterface::findOne(std::string const&, mongo::Query, mongo::BSONObj const*, int) (dbclient.cpp:450)
...
==15773== Uninitialised value was created by a heap allocation
==15773== at 0x4C2940D: malloc (vg_replace_malloc.c:236)
==15773== by 0x9F3C03C: mongo::ourmalloc(unsigned long) (allocator.h:23)
==15773== by 0x9F57642: mongo::MessagingPort::recv(mongo::Message&) (message.cpp:391)
==15773== by 0x9F57863: mongo::MessagingPort::call(mongo::Message&, mongo::Message&) (message.cpp:426)
==15773== by 0x9F7A2AC: mongo::DBClientConnection::call(mongo::Message&, mongo::Message&, bool) (dbclient.cpp:789)
==15773== by 0x9F82C4B: mongo::DBClientCursor::init() (dbclientcursor.cpp:50)
==15773== by 0x9F78057: mongo::DBClientBase::query(std::string const&, mongo::Query, int, int, mongo::BSONObj const*, int, int) (dbclient.cpp:530)
==15773== by 0x9F7D181: mongo::DBClientConnection::query(std::string const&, mongo::Query, int, int, mongo::BSONObj const*, int, int) (dbclient.h:704)
==15773== by 0x9F7728D: mongo::DBClientInterface::findOne(std::string const&, mongo::Query, mongo::BSONObj const*, int) (dbclient.cpp:450)
...