[SERVER-7505] RamLog can read past end of buffer Created: 30/Oct/12 Updated: 15/Feb/13 Resolved: 30/Oct/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Logging |
| Affects Version/s: | 2.0.7, 2.2.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ben Becker | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Participants: |
| Description |
|
When a log line is longer than 255 characters, RamLog::write() does a memcpy() from a string::c_str() without null-terminating the string buffer. I don't see any protection in the get functions (unless I'm missing something?), so we may get bad/bogus data (or even segv) when requesting the RamLog's contents. https://github.com/mongodb/mongo/blob/master/src/mongo/util/ramlog.cpp#L51 |
| Comments |
| Comment by Ben Becker [ 30/Oct/12 ] |
|
Got it; didn't realize the last byte was always protected. Thanks. |
| Comment by Eliot Horowitz (Inactive) [ 30/Oct/12 ] |
|
We zero the buffer out and only copy C-1 elements. |
| Comment by Ben Becker [ 30/Oct/12 ] |
|
Next conditional; if sz !< C. |
| Comment by Eliot Horowitz (Inactive) [ 30/Oct/12 ] |
|
Look 1 line further down. |