[ZOOKEEPER-2186] QuorumCnxManager#receiveConnection may crash with random input - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.6, 3.5.0
Fix Version/s: 3.4.7, 3.5.1, 3.6.0
Component/s: server
Labels:
None

Description

This will allocate an arbitrarily large byte buffer (and try to read it!):

    public boolean receiveConnection(Socket sock) {
        Long sid = null;
...
                sid = din.readLong();
                // next comes the #bytes in the remainder of the message                                                                             
                int num_remaining_bytes = din.readInt();
                byte[] b = new byte[num_remaining_bytes];
                // remove the remainder of the message from din                                                                                      
                int num_read = din.read(b);

This will crash the QuorumCnxManager thread, so the cluster will keep going but future elections might fail to converge (ditto for leaving/joining members).

Patch coming up in a bit.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ZOOKEEPER-2186.patch
13/May/15 23:31
13 kB
Raúl Gutiérrez Segalés
ZOOKEEPER-2186.patch
13/May/15 20:51
12 kB
Raúl Gutiérrez Segalés
ZOOKEEPER-2186.patch
11/May/15 05:50
9 kB
Raúl Gutiérrez Segalés
ZOOKEEPER-2186-v3.4.patch
14/May/15 08:24
2 kB
Raúl Gutiérrez Segalés

Issue Links

Blocked

ZOOKEEPER-3016 Follower QuorumCnxManager$Listener thread died due to incorrect client packet

Resolved

Activity

People

Assignee:: Raúl Gutiérrez Segalés

Reporter:: Raúl Gutiérrez Segalés

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 08/May/15 19:36

Updated:: 09/Apr/18 10:11

Resolved:: 24/May/15 06:34