Bug #38580 NDB : Buffer overrun during node shutdown handling results in SEGV
Submitted: 5 Aug 2008 20:58 Modified: 15 Oct 2008 16:53
Reporter: Frazer Clement
Status: Closed
Category:Server: Cluster Severity:S3 (Non-critical)
Version:5.1+ OS:Any
Assigned to: Frazer Clement Target Version:
Triage: D4 (Minor)

[5 Aug 2008 20:58] Frazer Clement 
Description:
When CopyFragRef is sent to a running node during node restart, the starting node is
shutdown as expected.

However, while reporting the reason for the shutdown, ErrorReporter::handleError()
experiences a SEGFAULT() which invokes the signal handler, which invokes the
ErrorReporter.  However the second time, the ErrorReporter succeeds.  For this reason,
this bug is not too severe.

How to repeat:
Repeated by causing node restart to fail resulting in COPYFRAGREF sent to DIH and DIH
instructing starting node to crash.

Suggested fix:
Fix code adding "\n" to the end of error file message dump - it actually adds "\n\0" which
overwrites the first byte of the next item on the stack - the AutoPtr responsible for
freeing some memory.
(See ErrorReporter::formatMessage())

When the AutoPtr destructs, it attempts to free the memory and gets a SEGV.

=== modified file 'storage/ndb/src/kernel/error/ErrorReporter.cpp'
--- storage/ndb/src/kernel/error/ErrorReporter.cpp      2008-04-23 13:42:17 +0000
+++ storage/ndb/src/kernel/error/ErrorReporter.cpp      2008-08-05 18:55:30 +0000
@@ -162,8 +162,9 @@ ErrorReporter::formatMessage(Uint32 num_
     strcat(messptr, " ");
   }

-  strcat(messptr, "\n");
-
+  messptr[ MESSAGE_LENGTH - 2 ]= '\n';
+  messptr[ MESSAGE_LENGTH - 1 ]= 0;
+
   return;
 }
[7 Aug 2008 14:45] Frazer Clement 
Minor bug with no workaround and minimal impact

Proposed patch attached to original bug report
[12 Aug 2008 0:57] Jon Stephens 
Need complete version numbers in which fix will appear in order to document. Thanks.
[26 Aug 2008 17:35] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52578
[15 Oct 2008 14:10] Frazer Clement 
Pushed to 6.2.16, 6.3.18, 6.4.0
[15 Oct 2008 16:53] Jon Stephens 
Documented bugfix in the ndb-6.2.16 and ndb-6.3.18 changelogs as follows:

        When restarting a data node, an excessively long shutodwn message could
        cause the node process to crash.
[13 Dec 2008 0:27] Bugs System 
Pushed into 6.0.7-alpha  (revid:frazer@mysql.com-20080826153354-w2detgtel1vu7vod) (version
source revid:tomas.ulin@sun.com-20080902154454-pvi3xa61d2wtxtbg) (pib:5)