Details
-
Bug
-
Resolution: Fixed
-
Major
-
4.0.0, 4.1.1, 4.5.0
-
None
-
Untriaged
-
Unknown
Description
This issue could manifest itself as a segfault during upgrade from 3 to 4
KV-engine metadata has the following 3 evolutions.
epoch (version 0)
struct metadata {
|
uint64 cas;
|
uint32 expiry;
|
uint32 flags;
|
}
|
version 1
struct metadata {
|
uint64 cas;
|
uint32 expiry;
|
uint32 flags;
|
uint8 ext1;
|
uint8 ext2;
|
}
|
version 2
struct metadata {
|
uint64 cas;
|
uint32 expiry;
|
uint32 flags;
|
uint8 ext1;
|
uint8 ext2;
|
uint8 conflict_resolution_mode;
|
}
|
- 3.x code writes out the version 1 structure (18 bytes of meta)
- 4.x code reads version 0 or version 2 (19 bytes) without checking the length is 19 bytes (i.e. checks only for > 16).
This was discovered when error injecting in unit-tests on the master/watson branch and shows up in valgrind as an invalid read of 1 byte.
(details of test to be uploaded).