[CDRIVER-2431] _mongoc_client_command_with_opts segfault with empty command document Created: 15/Dec/17  Updated: 28/Oct/23  Resolved: 20/Dec/17

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: None
Fix Version/s: 1.9.0

Type: Bug Priority: Major - P3
Reporter: Jeremy Mikola Assignee: Jeremy Mikola
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to PHPC-1066 Create a method that makes sure unsup... Closed

 Description   

A PHPC test happened to use an empty command document in an error test and inadvertently caused a segfault within libmongoc when the command name is checked. The relevant bit of the backtrace is:

#0  __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:164
No locals.
#1  0x00007f91620aec21 in mongoc_cmd_parts_append_opts (parts=0x7fff1cabe060, iter=0x7fff1cabdf90, max_wire_version=6, error=0x7fff1cabe540)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-cmd.c:124
#2  0x00007f91620a304d in _mongoc_client_command_with_opts (client=0x20ac4f0, db_name=0x7f916ab80d88 "phongo", command=0x20aa530, mode=MONGOC_CMD_READ, 
    opts=0x7fff1cabe440, flags=MONGOC_QUERY_NONE, default_prefs=0x20ad000, default_rc=0x20acf60, default_wc=0x20aceb0, reply=0x7fff1cabe3c0, error=0x7fff1cabe540)
    at /home/jmikola/workspace/mongodb/phpc/src/libmongoc/src/mongoc/mongoc-client.c:1778

The point of the exception is this line in mongoc_cmd_parts_append_opts() when checking if the command is "findAndModify". Note that a similar check happens higher up in _mongoc_client_command_with_opts() when deciding if a default write concern should be applied.

An additional point of interest may be _mongoc_cursor_run_command() when checking for a "getMore" command.

_mongoc_get_command_name() is also used to assign parts->assembled.command_name in mongoc_cmd_parts_assemble() but an error is raised for an empty command document if the name is NULL. mongoc-cursor-cursorid.c also calls _mongoc_get_command_name() to craft an error message; however, that should not be a concern as printf patterns should be able to handle NULL char * values.



 Comments   
Comment by Githook User [ 21/Dec/17 ]

Author:

{'name': 'Jeremy Mikola', 'email': 'jmikola@gmail.com', 'username': 'jmikola'}

Message: Regression test for empty command segfault (CDRIVER-2431)
Branch: master
https://github.com/mongodb/mongo-php-driver/commit/bfbbbf1babac0d866f9794e3a30efed3bceff0f8

Comment by Githook User [ 20/Dec/17 ]

Author:

{'name': 'Jeremy Mikola', 'email': 'jmikola@gmail.com', 'username': 'jmikola'}

Message: CDRIVER-2431 check for empty command before comparing name
Branch: r1.9
https://github.com/mongodb/mongo-c-driver/commit/471bfb037e8e380dde9409ba318a66f491d003be

Comment by Githook User [ 20/Dec/17 ]

Author:

{'name': 'Jeremy Mikola', 'email': 'jmikola@gmail.com', 'username': 'jmikola'}

Message: CDRIVER-2431 check for empty command before comparing name
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/85c5726b106ccd5f42b9c5c5fc9ea0a10818a414

Comment by Jeremy Mikola [ 19/Dec/17 ]

https://github.com/mongodb/mongo-c-driver/pull/477

Comment by A. Jesse Jiryu Davis [ 19/Dec/17 ]

Jeremy do you want to submit a PR for this please?

Generated at Wed Feb 07 21:15:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.