Bug #73781 NdbBulkAllocator::allocObjMem unconditionally increments m_nextObjNo
Submitted: 1 Sep 2014 11:19 Modified: 13 Mar 2015 13:03
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: NDB API Severity:S2 (Serious)
Version:7.2.10 OS:Any
Assigned to: CPU Architecture:Any

[1 Sep 2014 11:19] Shane Bester
Description:
m_nextObjNo incremented here even if the function returns NULL:

void* NdbBulkAllocator::allocObjMem(Uint32 noOfObjs)
{
  assert(m_nextObjNo + noOfObjs <=  m_maxObjs);
  void * const result = m_buffer+m_objSize*m_nextObjNo;
  m_nextObjNo += noOfObjs;
  return m_nextObjNo > m_maxObjs ? NULL : result;
}

This means that once a large alloc attempt is made, a smaller one that might actually fit will also fail.

How to repeat:
Read the code.  One solid example of encountering this in NdbResultSet::init:

715         m_buffer = reinterpret_cast<char*>(bufferAlloc.allocObjMem(bufferSize));
716
717         // So that we can test for buffer overrun.
718         m_batchOverflowCheck =
719           reinterpret_cast<Uint32*>(bufferAlloc.allocObjMem(sizeof(Uint32)));
720         *m_batchOverflowCheck = 0xacbd1234;

If m_buffer gets NULL, the next alloc fails, and m_batchOverflowCheck will be a NULL pointer too.

Suggested fix:
o) Fix function NdbBulkAllocator::allocObjMem.
o  Ensure all callers of this function check for NULL returns.
[13 Mar 2015 13:03] Jon Stephens
This is fixed by the fix for BUG#75599, see same for docs & changelog info.

Closed.