Bug #31244 NULL pointer dereference in net_clear()
Submitted: 27 Sep 2007 14:43 Modified: 28 Feb 2009 19:58
Reporter: Robert Obermeyer Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: C API (client library) Severity:S2 (Serious)
Version:5.0.45 and 5.1.21-beta OS:Any
Assigned to: CPU Architecture:Any
Triage: D1 (Critical)

[27 Sep 2007 14:43] Robert Obermeyer
Description:
Using libmysql and prepared statements with many concurrent queries may lead to a NULL pointer dereference in net_clear() line 294 of sql/net_serv.cc if server is gone.

After the server is gone net->vio may be NULL thus the following parameter to net_data_is_ready() causes a NULL pointer dereference and a segmentation fault.

294: while((ready= net_data_is_ready(net->vio->sd)) > 0)

How to repeat:
Use mysql client library with prepared statements (don't know if it can happen without) and many concurrent queries. Then shutdown the mysql server. In many (not all) cases a segmentation fault occurs.

Suggested fix:
At least the variables net and net->vio in net_clear() should be checked if they are not equal to NULL before using them. May be another problem elsewhere leads to the NULL pointer dereference.
[27 Sep 2007 17:20] Valeriy Kravchuk
Thank you for a problem report. Please, send the resolved stack trace from any of the segmentation faults you can cause this way.
[27 Sep 2007 19:17] Robert Obermeyer
Here it comes. #3 is part of my program.

[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x8056a00 (LWP 100119)]
0x281e9ab4 in net_clear (net=0x8064800) at net.c:227
227     {
(gdb) info stack
#0  0x281e9ab4 in net_clear (net=0x8064800) at net.c:227
#1  0x281c1a5f in cli_stmt_execute (stmt=0x8081000) at libmysql.c:2557
#2  0x281c4d96 in mysql_stmt_execute (stmt=0x8081000) at libmysql.c:2904
#3  0x281ae4cf in get_mysql_row (id=87, stmt=0x8081000, statement=0x281b1290,
    result=0xbf5f9aec) at program.c:254
[...]
[27 Sep 2007 19:19] Robert Obermeyer
This is the net parameter for net_clear(). vio = 0x0 causes the NULL pointer dereference and thus the segmentation fault.

(gdb) print *(NET *)0x8064800
$1 = {vio = 0x0, buff = 0x0, buff_end = 0x8076000 "",
  write_pos = 0x8074000 "\025", read_pos = 0x8074000 "\025", fd = 7,
  max_packet = 8192, max_packet_size = 1073741824, pkt_nr = 1,
  compress_pkt_nr = 0, write_timeout = 31536000, read_timeout = 31536000,
  retry_count = 1, fcntl = 0, compress = 0 '\0', remain_in_buf = 0,
  length = 0, buf_length = 0, where_b = 0, return_status = 0x0,
  reading_or_writing = 0 '\0', save_char = 0 '\0', no_send_ok = 0 '\0',
  no_send_eof = 0 '\0', no_send_error = 0 '\0',
  last_error = "Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)", '\0' <repeats 439 times>, sqlstate = "HY000", last_errno = 2002,
  error = 2 '\002', query_cache_query = 0x0, report_error = 0 '\0',
  return_errno = 0 '\0'}
[11 Dec 2007 11:29] Susanne Ebrecht
Please, can you add your testcase here.
[12 Jan 2008 0:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[13 Feb 2008 17:42] Susanne Ebrecht
Verified by reading bk tree source code.
[23 Apr 2008 12:49] Simon Schmitz
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x2b47a67281a0 (LWP 12255)]
0x00002b47ac43cfb4 in net_clear () from /usr/lib/libmysqlclient.so.15
(gdb) bt
#0  0x00002b47ac43cfb4 in net_clear () from /usr/lib/libmysqlclient.so.15
#1  0x00002b47ac4122e8 in cli_stmt_execute () from /usr/lib/libmysqlclient.so.15
#2  0x00002b47ac411f15 in mysql_stmt_execute () from /usr/lib/libmysqlclient.so.15
#3  0x00002b47ac1867a8 in mysql_st_internal_execute41 ()
   from /usr/lib/perl5/auto/DBD/mysql/mysql.so
#4  0x00002b47ac18ba85 in mysql_st_execute () from /usr/lib/perl5/auto/DBD/mysql/mysql.so
#5  0x00002b47ac1929c7 in XS_DBD__mysql__st_execute () from /usr/lib/perl5/auto/DBD/mysql/mysql.so
#6  0x00002b47abd6b28f in XS_DBI_dispatch () from /usr/lib/perl5/auto/DBI/DBI.so
#7  0x00002b47a585fdd3 in Perl_pp_entersub () from /usr/lib/libperl.so.5.8
#8  0x00002b47a585e63e in Perl_runops_standard () from /usr/lib/libperl.so.5.8
#9  0x00002b47a5808eef in perl_run () from /usr/lib/libperl.so.5.8
#10 0x000000000040185c in main ()
[22 Jan 2009 21:16] Sveta Smirnova
There is related bug #33384.
[28 Feb 2009 19:58] Jim Winstead
This isn't just related to bug #33384, it's a duplicate. Although it was opened later, that report has more information and a suggested fix. We'll track it there.