Bug #19088 NDBAPI: Segfault in NdbIndexScanOperation::setBound(...)
Submitted: 13 Apr 2006 20:05 Modified: 25 Apr 2006 9:21
Reporter: Hartmut Holzgraefe Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: Cluster (NDB) storage engine Severity:S3 (Non-critical)
Version:5.0 OS:Any (*)
Assigned to: Jon Stephens CPU Architecture:Any

[13 Apr 2006 20:05] Hartmut Holzgraefe 
Description:
Passing a wrong (nonexisting) index name to 

  int NdbIndexScanOperation::setBound(const char* attr, int type, const void* value, Uint32 len = 0);

causes a segfault.

The API fails to check its parameters in two different places:

#1 the function itself does a name lookup but doesn't check it for success:

  int 
  NdbIndexScanOperation::setBound(const char* anAttrName, int type,
                                const void* aValue, Uint32 len)
  {
    return setBound(m_accessTable->getColumn(anAttrName), type, aValue, len);
  }

getColumn(anAttrName) will return NULL for invalid names, this should be 
checked for and an appropriate error code should be returned for failed 
lookups.

#2 the other setBound() method that the call is delegated to does not
     check for NULL arguments, it tries to dereferece the tAttrInfo *
     argument passed into it right away:

  int
  NdbIndexScanOperation::setBound(const NdbColumnImpl* tAttrInfo,
                                int type, const void* aValue, Uint32 len)
  {
    if (theOperationType == OpenRangeScanRequest &&
      (0 <= type && type <= 4) &&
      len <= 8000) {
    // insert bound type
    Uint32 currLen = theTotalNrOfKeyWordInSignal;
    Uint32 remaining = KeyInfo::DataLength - currLen;
    Uint32 sizeInBytes = tAttrInfo->m_attrSize * tAttrInfo->m_arraySize;
  ...

IMHO a crash of a public API function due to an invalid parameter value
is only acceptable in on case:

  - when it is a pointer parameter and the pointer value passed in
    is invalid due to an error on the application level
 
  - and when this is *not* a NULL pointer as this is easy to check for
  
  

How to repeat:
test code will be attached later

Suggested fix:
Add parameter error checking to this (and all other) NDBAPI calls. 
The only time were a crash in a function exposed by a public API
due to wrong parameters being passed in is when an invalid pointer
is passed on from the application level.
[21 Apr 2006 8:20] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/5273
[21 Apr 2006 14:01] Martin Skold 
Pushed to 5.0.21 and 5.1.10
[25 Apr 2006 9:21] Jon Stephens 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

Documented in 5.1.10 changelog; closed.