Bug #33750 buffer overflow on reading a BIT(64) value using NDBAPI
Submitted: 8 Jan 2008 19:49 Modified: 20 Feb 2008 22:11
Reporter: Hartmut Holzgraefe Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: NDB API Severity:S3 (Non-critical)
Version:mysql-5.1.22-ndb-6.3.6 OS:Linux
Assigned to: Frazer Clement CPU Architecture:Any
Triage: D4 (Minor)

[8 Jan 2008 19:49] Hartmut Holzgraefe
Description:
When reading a BIT(64) using NdbOperation:getValue() 
an 8 byte buffer should be sufficient to store the result,
but actually 12 bytes are written to the buffer in this case.

A BIT(32) column result fits into 4 bytes as expected,
BIT(33) to BIT(63) fit into 8 bytes which is expected, too,
taking 4 byte alignments into account, but BIT(64) should
still fit into 8 bytes.

How to repeat:
See README in attached source project
[8 Jan 2008 20:05] Hartmut Holzgraefe
test project

Attachment: csc22154-0.1.tar.gz (application/x-gzip, text), 300.42 KiB.

[8 Jan 2008 20:06] Hartmut Holzgraefe
Workaround: use larger buffer
[22 Jan 2008 16:58] Frazer Clement
Proposed patch for Bug 33750

Attachment: bug33750.patch (text/x-patch), 23.51 KiB.

[23 Jan 2008 6:00] Jonas Oreland
i think you could assert that len > 0
otherwise looks great
how much has run-time of testBitfield increased ?
[23 Jan 2008 7:16] Frazer Clement
Modified patch with len==0 case changed to assert and increased test iterations

Attachment: bug33750-v2.patch (text/x-patch), 24.11 KiB.

[23 Jan 2008 7:18] Frazer Clement
Runtime of testBitfield.cpp increased from ~13s to ~19s by this patch.
[23 Jan 2008 8:21] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41137

ChangeSet@1.2584, 2008-01-23 09:22:26+01:00, jonas@perch.ndb.mysql.com +3 -0
  ndb - bug#33750
    make sure that getField does not write after supplied buffer
[23 Jan 2008 8:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41138

ChangeSet@1.2409, 2008-01-23 09:59:06+01:00, jonas@perch.ndb.mysql.com +3 -0
  ndb - bug#33750
      make sure that getField does not write after supplied buffer
      (recommit to correct clone, for easy merging)
[23 Jan 2008 9:57] Jonas Oreland
pushed into 50-ndb, telco-61, telco-62, telco-63
51-telco-gca & 50-telco-gca
[23 Jan 2008 12:50] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41150

ChangeSet@1.2187, 2008-01-23 13:50:17+01:00, jonas@perch.ndb.mysql.com +3 -0
  ndb - bug#33750 (drop6)
    make sure that getField does not write after supplied buffer
[1 Feb 2008 14:29] Jon Stephens
Documented bugfix in 5.1.23-ndb-6.3.8 changelog as follows:

      
        When reading a BIT(64) value using
        NdbOperation:getValue(), 12 bytes are written
        to the buffer rather than the expected 8 bits.
      
Left bug in PQ status mending additional merges.
[2 Feb 2008 12:04] Jon Stephens
Also documented for 5.1.23-ndb-6.2.11; left status unchanged.
[20 Feb 2008 16:02] Bugs System
Pushed into 5.0.58
[20 Feb 2008 16:02] Bugs System
Pushed into 5.1.24-rc
[20 Feb 2008 16:04] Bugs System
Pushed into 6.0.5-alpha
[20 Feb 2008 22:11] Jon Stephens
Also documented for 5.0.58, 5.1.24, and 6.0.5.