[SERVER-7505] RamLog can read past end of buffer Created: 30/Oct/12  Updated: 15/Feb/13  Resolved: 30/Oct/12

Status: Closed
Project: Core Server
Component/s: Logging
Affects Version/s: 2.0.7, 2.2.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Ben Becker Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

When a log line is longer than 255 characters, RamLog::write() does a memcpy() from a string::c_str() without null-terminating the string buffer. I don't see any protection in the get functions (unless I'm missing something?), so we may get bad/bogus data (or even segv) when requesting the RamLog's contents.

https://github.com/mongodb/mongo/blob/master/src/mongo/util/ramlog.cpp#L51



 Comments   
Comment by Ben Becker [ 30/Oct/12 ]

Got it; didn't realize the last byte was always protected. Thanks.

Comment by Eliot Horowitz (Inactive) [ 30/Oct/12 ]

We zero the buffer out and only copy C-1 elements.
So the last entry will always be 0

Comment by Ben Becker [ 30/Oct/12 ]

Next conditional; if sz !< C.

Comment by Eliot Horowitz (Inactive) [ 30/Oct/12 ]

Look 1 line further down.
p[sz-1] = 0;

Generated at Thu Feb 08 03:14:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.