Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Gone away
Priority: Minor - P4
Fix Version/s: None
Affects Version/s: None
Component/s: Internal Code
Labels:
- neweng

Assigned Teams:

Storage Execution
Operating System:
ALL
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

After just a few characters, this function will overflow the signed int 'hash', which is undefined behavior. Conjecture: it might even be exploitable by an optimizer since the function is inline.

inline int nsDBHash(const std::string& ns) {                                                                                 
    int hash = 7; 
    for (size_t i = 0; i < ns.size(); i++) {                                                                                 
        if (ns[i] == '.')                                                                                                    
            break; 
        hash += 11 * ns[i];                                                                                                  
        hash *= 3;                                                                                                           
    }
    return hash;                                                                                                             
}

I suggest we switch to unsigned math for the bit wrangling and cast to int at the end.

https://github.com/mongodb/mongo/commit/bc2d722169d5d1b46adfc603e29730b029b5e933#diff-fad15cbf66c82ba4a36fd2cc2e1c0b00R584

Assignee:: [DO NOT USE] Backlog - Storage Execution Team
Reporter:: Billy Donahue
Participants:: [DO NOT USE] Backlog - Storage Execution Team, Billy Donahue, Eric Milkie
Votes:: 0 Vote for this issue
Watchers:: 3 Start watching this issue

Created:: Jan 22 2018 04:27:04 PM UTC
Updated:: Oct 27 2023 08:43:41 PM UTC
Resolved:: Jun 21 2018 05:13:15 PM UTC

Details

Description

Attachments

Activity

People

Dates