Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-3760

potentially unsafe use of memcmp in v1 index

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 2.0.0-rc2
    • None
    • Index Maintenance
    • None
    • ALL

    Description

      I don't think memcmp guarantees that it will not access later bytes in a string if earlier bytes do not match. According to the man page "Both strings are assumed to be n bytes long." So for example if there is a memcmp implementation that compares one word rather than one byte at a time and backtracks to find the return value if there is a mismatch it could seg fault in the following call sites where the allocation for r may be shorter than sz/len.

      case cstring:

      { unsigned sz = ((unsigned) *l) + 1; if( memcmp(l, r, sz) ) // first byte checked is the length byte return false; l += sz; r += sz; break; }

      case cbindata:

      { int len = binDataCodeToLength(*l) + 1; if( memcmp(l, r, len) ) return false; l += len; r += len; break; }

      Attachments

        Activity

          People

            dwight@mongodb.com Dwight Merriman
            aaron Aaron Staple
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: