[CDRIVER-3487] Exhaust cursors on single threaded drivers may interfere with SDAM monitoring Created: 15/Jan/20  Updated: 23/Mar/23

Status: Backlog
Project: C Driver
Component/s: libmongoc
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-3438 Destroy exhaust cursor socket in mong... Closed

 Description   

When discussing CDRIVER-3438, the following scenario seems like a very possible bug in libmongoc:

Create an exhaust cursor against server S1. This sets mongoc_client_t's in_exhaust flag to true. Since S1 expects to stream all documents requested, the socket to S1 can only be read from (and must be closed when done) in mongoc_cursor_destroy.

While the mongoc_client_t is still in_exhuast, call mongoc_client_select_server, triggering a topology scan. Since there is no check of client->in_exhaust in mongoc-async-cmd.c, the scan will attempt to send an isMaster on the same socket to S1. This will result in an out-of-bound write to the socket.

Note, I believe this bug would only appear if the user were to call mongoc_client_select_server while the client was in exhaust. Other operations that would otherwise do I/O would check (and correctly error) in the common I/O code path of mongoc-cluster.c.


Generated at Wed Feb 07 21:18:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.