Bug #38580 NDB : Buffer overrun during node shutdown handling results in SEGV
Submitted: 5 Aug 2008 18:58 Modified: 15 Oct 2008 14:53
Reporter: Frazer Clement Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: Cluster (NDB) storage engine Severity:S3 (Non-critical)
Version:5.1+ OS:Any
Assigned to: Frazer Clement CPU Architecture:Any

[5 Aug 2008 18:58] Frazer Clement
Description:
When CopyFragRef is sent to a running node during node restart, the starting node is shutdown as expected.

However, while reporting the reason for the shutdown, ErrorReporter::handleError() experiences a SEGFAULT() which invokes the signal handler, which invokes the ErrorReporter.  However the second time, the ErrorReporter succeeds.  For this reason, this bug is not too severe.

How to repeat:
Repeated by causing node restart to fail resulting in COPYFRAGREF sent to DIH and DIH instructing starting node to crash.

Suggested fix:
Fix code adding "\n" to the end of error file message dump - it actually adds "\n\0" which overwrites the first byte of the next item on the stack - the AutoPtr responsible for freeing some memory.
(See ErrorReporter::formatMessage())

When the AutoPtr destructs, it attempts to free the memory and gets a SEGV.

=== modified file 'storage/ndb/src/kernel/error/ErrorReporter.cpp'
--- storage/ndb/src/kernel/error/ErrorReporter.cpp      2008-04-23 13:42:17 +0000
+++ storage/ndb/src/kernel/error/ErrorReporter.cpp      2008-08-05 18:55:30 +0000
@@ -162,8 +162,9 @@ ErrorReporter::formatMessage(Uint32 num_
     strcat(messptr, " ");
   }

-  strcat(messptr, "\n");
-
+  messptr[ MESSAGE_LENGTH - 2 ]= '\n';
+  messptr[ MESSAGE_LENGTH - 1 ]= 0;
+
   return;
 }
[7 Aug 2008 12:45] Frazer Clement
Minor bug with no workaround and minimal impact

Proposed patch attached to original bug report
[11 Aug 2008 22:57] Jon Stephens
Need complete version numbers in which fix will appear in order to document. Thanks.
[26 Aug 2008 15:35] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/52578
[15 Oct 2008 12:10] Frazer Clement
Pushed to 6.2.16, 6.3.18, 6.4.0
[15 Oct 2008 14:53] Jon Stephens
Documented bugfix in the ndb-6.2.16 and ndb-6.3.18 changelogs as follows:

        When restarting a data node, an excessively long shutodwn message could
        cause the node process to crash.
[12 Dec 2008 23:27] Bugs System
Pushed into 6.0.7-alpha  (revid:frazer@mysql.com-20080826153354-w2detgtel1vu7vod) (version source revid:tomas.ulin@sun.com-20080902154454-pvi3xa61d2wtxtbg) (pib:5)