Uploaded image for project: 'Couchbase C client library libcouchbase'
  1. Couchbase C client library libcouchbase
  2. CCBC-164

Concurrent access to continuum can cause invalid memory reference when servers are removed

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: library
    • Security Level: Public
    • Labels:
      None

      Description

      In libvbucket/vbucket.c lines 121/122, function update_ketama_continuum first updates the array pointer, and then the counter.

      In lines 615/616, function vbucket_map reads both the array pointer and the counter to determine the boundaries of the memory to scan.

      In the (rare) event that a server is removed and thread A executes update_ketama_continuum line 121 with a smaller array and then blocks, a second thread B could execute vbucket_map, read the new array pointer and the (larger) size of the old array, and access memory that has been freed.

      A similar issue exists in (some versions of) libmemcached code. To fix this, one could change the code to use a pointer to a struct which contains both the array and its size, or place both the array pointer and the size adjacent in memory and use an atomic operation to update both simultaneously ( less portable )

      No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

        Hide
        trond Trond Norbye added a comment -

        This is not a bug in libcouchbase because each lcb_t should not be accessed from multiple threads without adding proper locking.

        Show
        trond Trond Norbye added a comment - This is not a bug in libcouchbase because each lcb_t should not be accessed from multiple threads without adding proper locking.

          People

          • Assignee:
            trond Trond Norbye
            Reporter:
            jbemmel Jeroen van Bemmel
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Gerrit Reviews

              There are no open Gerrit changes