[SERVER-30576] junk data on the wire causes segfault in latest dev build Created: 09/Aug/17  Updated: 10/Aug/17  Resolved: 09/Aug/17

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Matt Broadstone Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-30473 Denial of service from wild Closed
Backwards Compatibility: Fully Compatible
Operating System: OS X
Steps To Reproduce:

using any recent version of the node driver:

const MongoClient = require('mongodb').MongoClient;
MongoClient.connect('mongodb://localhost')
  .then(db => {
    db.serverConfig.connections()[0]
      .write(new Buffer('312312321321askdjljsaNCKnablibh'))
  });

Participants:

 Description   

We have some node driver tests that inject junk data onto the wire in order to cause certain network failures. The tests were failing with v3.5.11, and when I dug a little deeper it seems the behavior now crashes the server

 
mbroadst@gorgor:~$ mongod --version
db version v3.5.11
git version: a8a9854b666515d48720cf2b203553954b6a75e6
OpenSSL version: OpenSSL 0.9.8zh 14 Jan 2016
allocator: system
modules: none
build environment:
    distarch: x86_64
    target_arch: x86_64

Process 21862 stopped
* thread #2, name = 'conn3', stop reason = signal SIGTRAP
    frame #0: 0x00007fff8aedcdd6 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill:
->  0x7fff8aedcdd6 <+10>: jae    0x7fff8aedcde0            ; <+20>
    0x7fff8aedcdd8 <+12>: movq   %rax, %rdi
    0x7fff8aedcddb <+15>: jmp    0x7fff8aed5cdf            ; cerror_nocancel
    0x7fff8aedcde0 <+20>: retq
(lldb) bt
* thread #2, name = 'conn3', stop reason = signal SIGTRAP
  * frame #0: 0x00007fff8aedcdd6 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff8afc8787 libsystem_pthread.dylib`pthread_kill + 90
    frame #2: 0x00007fff8adf3497 libsystem_c.dylib`raise + 26
    frame #3: 0x00000001015716b4 mongod`mongo::breakpoint() + 84
    frame #4: 0x00000001014affe0 mongod`mongo::invariantFailed(char const*, char const*, unsigned int) + 512
    frame #5: 0x0000000100205839 mongod`mongo::ServiceStateMachine::_processMessage(mongo::ServiceStateMachine::ThreadGuard&) + 2249
    frame #6: 0x0000000100204564 mongod`mongo::ServiceStateMachine::_runNextInGuard(mongo::ServiceStateMachine::ThreadGuard&) + 372
    frame #7: 0x0000000100204f28 mongod`mongo::ServiceStateMachine::runNext() + 56
    frame #8: 0x0000000100203687 mongod`std::__1::__function::__func<mongo::ServiceEntryPointImpl::startSession(std::__1::shared_ptr<mongo::transport::Session>)::$_1, std::__1::allocator<mongo::ServiceEntryPointImpl::startSession(std::__1::shared_ptr<mongo::transport::Session>)::$_1>, void ()>::operator()() + 135
    frame #9: 0x00000001013c6a5c mongod`mongo::(anonymous namespace)::runFunc(void*) + 28
    frame #10: 0x00000001013c6b51 mongod`void* std::__1::__thread_proxy<std::__1::tuple<std::__1::__bind<void* (&)(void*), std::__1::function<void ()>*> > >(void*) + 97
    frame #11: 0x00007fff8afc5aab libsystem_pthread.dylib`_pthread_body + 180
    frame #12: 0x00007fff8afc59f7 libsystem_pthread.dylib`_pthread_start + 286
    frame #13: 0x00007fff8afc51fd libsystem_pthread.dylib`thread_start + 13


Generated at Thu Feb 08 04:24:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.