Bug #53412 nodeid range not checked when allocating nodeid in ndb_mgmd
Submitted: 4 May 2010 13:51 Modified: 11 May 2010 12:53
Reporter: Magnus Blåudd Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: Cluster (NDB) storage engine Severity:S2 (Serious)
Version:7.0.15 OS:Any
Assigned to: Magnus Blåudd CPU Architecture:Any

[4 May 2010 13:51] Magnus Blåudd 
Description:
MgmApiSession::get_nodeid does not check that the requested nodeid parameter is within range(currenlty 1-255).

This leads to assert in debug mode if starting a ndb api client program with --ndb-nodeid=256 and read after end of allocated area in release compile.

#0  0x0000003a676334b5 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003a67636f50 in *__GI_abort () at abort.c:92
#2  0x0000003a6762c481 in *__GI___assert_fail (
    assertion=<value optimized out>, file=<value optimized out>, 
    line=<value optimized out>, function=<value optimized out>) at assert.c:81
#3  0x000000000049381d in BitmaskImpl::get (size=8, data=0x26a6a98, n=256)
    at ../../../../storage/ndb/include/util/Bitmask.hpp:202
#4  0x00000000004990e5 in BitmaskPOD<8u>::get (data=0x26a6a98, n=256)
    at ../../../../storage/ndb/include/util/Bitmask.hpp:702
#5  0x000000000049516c in BitmaskPOD<8u>::get (this=0x26a6a98, n=256)
    at ../../../../storage/ndb/include/util/Bitmask.hpp:709
#6  0x00000000004a24d8 in MgmtSrvr::Allocated_resources::is_reserved (
    this=0x26a6a90, nodeId=256) at MgmtSrvr.hpp:91
#7  0x000000000049b249 in MgmApiSession::get_nodeid (this=0x27065b0, args=...)
    at Services.cpp:528
#8  0x00000000004a2902 in Parser<MgmApiSession>::run (this=0x26a38c0, ctx=..., 
    t=..., stop=0x0) at ../../../../storage/ndb/include/util/Parser.hpp:209
#9  0x000000000049aaa9 in MgmApiSession::runSession (this=0x27065b0)
    at Services.cpp:390
#10 0x000000000058dc1b in sessionThread_C (_sc=0x27065b0)
    at SocketServer.cpp:399

How to repeat:
Start ndb_mgmd and run for example:
./ndb_select_count -c localhost:13000 --ndb-nodeid=256 T1
                                                   ^^^

Suggested fix:
Check that the nodeid parameter in 'get_nodeid' is within allowed range.
[7 May 2010 13:11] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/107749
[10 May 2010 7:38] Magnus Blåudd 
Pushed to 7.0.15 and 7.1.4
[11 May 2010 12:53] Jon Stephens 
Documented in the NDB-7.0.15 and 7.1.4 changelogs as follows:

        The value set for the ndb_mgmd option --ndb-nodeid was not verified
        prior to use as being within the allowed range (1 to 255, inclusive),
        leading to a crash of the management server.

Closed.