Description:
the call to formatMessage at 
  storage\ndb\src\kernel\error\ErrorReporter.cpp:288 
overflows the buffer, corrupting the 'stream' variable.

i increased the size of the buffer like so:

--- storage/ndb/src/kernel/error/ErrorReporter.cpp      2009-05-27 15:21:45 +0000
+++ storage/ndb/src/kernel/error/ErrorReporter.cpp      2009-09-04 05:10:45 +0000
@@ -31,7 +31,7 @@

 #include <NdbAutoPtr.hpp>

-#define MESSAGE_LENGTH 500
+#define MESSAGE_LENGTH 999

 static int WriteMessage(int thrdMessageID,
                        const char* thrdProblemData,

and that temporarily fixes the problem.

How to repeat:
.

Suggested fix:
.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/82415

2977 jack andrews	2009-09-04
      Bug #47120: ErrorReporter::formatMessage overruns the buffer

Please write a patch that simply truncates the error message

jonas suggested making buffer bigger and to fix the overrun bug.

i'm trying to write a tap unit test to reproduce the error, but following all the includes and dependencies, i have to include and link everything under src/kernel.

here's what i'm' trying to do in ErrorReporter.cpp

#ifdef TEST
#include <NdbTap.hpp>

TAPTEST(BaseString)
{
/*
formatMessage(int thr_no, Uint32 num_threads, int faultID,
              const char* problemData, const char* objRef,
              const char* theNameOfTheTraceFile, char* messptr)
*/
  ErrorReporter::formatMessage(1,2,3,"problem","objref","trace","messptr");
  return 1;
}
#endif

i can't see anything wrong with ErrorReporter::formatMessage() -- at least, i can't see any thing wrong with the snprintf()s.

i can't reproduce because the bug that exposed the problem has been fixed.

to reproduce, apply patch below and start a ndbd.

=== modified file 'storage/ndb/src/kernel/vm/Mutex.hpp'
--- storage/ndb/src/kernel/vm/Mutex.hpp 2009-05-27 12:11:46 +0000
+++ storage/ndb/src/kernel/vm/Mutex.hpp 2010-02-25 04:30:58 +0000
@@ -272,6 +272,11 @@
 inline
 bool
 Mutex::create(SimulatedBlock::Callback & callback){
+      char *s=(char*)malloc(9999);
+    for(int i=0;i<9998;i++)s[i]='Z';
+    s[9998]=0;
+    ErrorReporter::handleAssert(s, __FILE__, __LINE__);
+
   if(m_ptr.isNull()){
     if(m_mgr.seize(m_ptr)){
       m_ptr.p->m_mutexId = m_mutexId;

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/101400

3412 Jack Andrews	2010-02-25
      Bug #47120  ErrorReporter::formatMessage overruns the buffer
         . fixed buffer overflow

Patch is ok.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/101988

3413 Jack Andrews	2010-03-02 [merge]
      merge for Bug #47120  ErrorReporter::formatMessage overruns the buffer

Pushed into 5.1.41-ndb-7.0.14 (revid:jack@sun.com-20100302011538-xu06u5kpd1vryy0p) (version source revid:jack@sun.com-20100302011538-xu06u5kpd1vryy0p) (merge vers: 5.1.41-ndb-7.0.14) (pib:16)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/102023

3475 Martin Skold	2010-03-02 [merge]
      Merge
      modified:
        storage/ndb/src/kernel/error/ErrorReporter.cpp

Documented bugfix in the NDB-7.0.14 changelog as follows:

      The internal ErrorReporter::formatMessage() method could in some cases
      cause a buffer overflow.

Set to Need Merge since it appears this will need to be merged to 7.1 at some point.