Details
Description
If the client sets a large document (example is 10MB) and for some reason closes the connection before memcached returns status there's a risk of leaking the document size of data.
1. Mcd reads the binary protocol header and sees a value length of 10MB.
2. Mcd uses engine allocate and creates a 10MB item.
3. Mcd goes around conn_nread pulling the value off the socket which requires a few goes to get all 10MB
Meanwhile... client gives up (small lcb_set_timeout) and closes the connection.
3. (contd.) Mcd encouters a read from socket error.
4. Mcd returns false from conn_nread, event loop terminates
In this failure path, there's no item release code, in this example we leak 10MB.
Attachments
Issue Links
For Gerrit Dashboard: MB-12451 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
42472,7 | MB-12451 mcd leak when socket closes during read | master | memcached | Status: MERGED | +2 | +1 |
42525,3 | MB-12451 mcd leak when socket closes during read | branch-20 | memcached | Status: MERGED | +2 | +1 |
42723,4 | MB-12451 Verification build to test MCD memory leak | master | manifest | Status: MERGED | +2 | +1 |
48672,2 | MB-12451 mcd leak when socket closes during read | 3.0 | memcached | Status: MERGED | +2 | +1 |