Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-32832

Arithmetic overflow in mongo::nsDBHash

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Gone away
    • Icon: Minor - P4 Minor - P4
    • None
    • None
    • Internal Code
    • Storage Execution
    • ALL

    Description

      After just a few characters, this function will overflow the signed int 'hash', which is undefined behavior. Conjecture: it might even be exploitable by an optimizer since the function is inline.

      inline int nsDBHash(const std::string& ns) {                                                                                 
          int hash = 7; 
          for (size_t i = 0; i < ns.size(); i++) {                                                                                 
              if (ns[i] == '.')                                                                                                    
                  break; 
              hash += 11 * ns[i];                                                                                                  
              hash *= 3;                                                                                                           
          }
          return hash;                                                                                                             
      }                                                                                                                            
      

      I suggest we switch to unsigned math for the bit wrangling and cast to int at the end.

      https://github.com/mongodb/mongo/commit/bc2d722169d5d1b46adfc603e29730b029b5e933#diff-fad15cbf66c82ba4a36fd2cc2e1c0b00R584

      Attachments

        Activity

          People

            backlog-server-execution Backlog - Storage Execution Team
            billy.donahue@mongodb.com Billy Donahue
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: