[CDRIVER-3522] Stack smashing detected connecting to multiple replica set members with TLS Created: 05/Feb/20 Updated: 28/Oct/23 Resolved: 23/Jul/20 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | 1.13.0, 1.14.0 |
| Fix Version/s: | 1.18.0, 1.17.3, 1.18.0-alpha |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Jeremy Mikola | Assignee: | Roberto Sanchez |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Description |
|
This was originally reported in
The ssl and authSource options were originally specified outside of the connection string (via PHP's extra hash argument), but I've merged them in for simplicity. The crash itself appeared with the following in debug output from the PHP process:
The equivalent crash in GDB was a bit more verbose, but also includes some function names missing in the previous log:
Researching __stack_chk_fail suggests that it's merely indicative of when the stack smash was detected, but not where it originated. This Stack Overflow thread suggests using AddressSanitizer to investigate further. Without being able to identify the smash with ASan, I believe anything in the stack trace could be suspect. The crash itself was reported against PHPC 1.5.5 and 1.6.0alpha2, so I've marked the affected version as libmongoc 1.13.0 and 1.14.0, respectively. In the meantime, I've also asked the user to attempt reproduction using the latest version of the driver (1.7.1), which uses libmongoc 1.16.1. |
| Comments |
| Comment by Githook User [ 24/Nov/20 ] | |||||||
|
Author: {'name': 'Roberto C. Sánchez', 'email': 'roberto@connexer.com', 'username': 'rcsanchez97'}Message: | |||||||
| Comment by Githook User [ 23/Jul/20 ] | |||||||
|
Author: {'name': 'Roberto C. Sánchez', 'email': 'roberto@connexer.com', 'username': 'rcsanchez97'}Message: | |||||||
| Comment by Roberto Sanchez [ 17/Jul/20 ] | |||||||
|
In the process of working on | |||||||
| Comment by Kevin Albertson [ 12/May/20 ] | |||||||
|
Hypothesis: A host listed in the "hosts" list that mismatches TLS validation causes the crash during scan. Attempted to reproduce by setting up a replica set with a "hosts" list containing a different host name to a secondary (one which fails TLS hostname validation). I modified /etc/hosts to add these entries:
Created a server certificate with the common name "host", then configured a two node replica set in the mongodb shell:
Then connected with example client:
But no crash was observed compiling with ASAN. | |||||||
| Comment by Roberto Sanchez [ 17/Apr/20 ] | |||||||
|
I have commented on |