Details
-
Bug
-
Resolution: Won't Fix
-
Minor
-
None
-
None
-
Security Level: Public
-
None
Description
In libvbucket/vbucket.c lines 121/122, function update_ketama_continuum first updates the array pointer, and then the counter.
In lines 615/616, function vbucket_map reads both the array pointer and the counter to determine the boundaries of the memory to scan.
In the (rare) event that a server is removed and thread A executes update_ketama_continuum line 121 with a smaller array and then blocks, a second thread B could execute vbucket_map, read the new array pointer and the (larger) size of the old array, and access memory that has been freed.
A similar issue exists in (some versions of) libmemcached code. To fix this, one could change the code to use a pointer to a struct which contains both the array and its size, or place both the array pointer and the size adjacent in memory and use an atomic operation to update both simultaneously ( less portable )