Details
-
Bug
-
Resolution: Fixed
-
Critical
-
master
-
None
-
Untriaged
-
Unknown
Description
As part of http://review.couchbase.org/95248 a ConnHandler's priority was included in the connection stats; this priority was fetched from the underlying Connection via it's cookie - c below:
void ConnHandler::addStats(ADD_STAT add_stat, const void* c) { |
...
|
const auto priority = engine_.getDCPPriority(c); |
const char* priString = "<INVALID>"; |
switch (priority) { |
... Map priority to a string ...
|
}
|
addStat("priority", priString, add_stat, c); |
}
|
However this is the wrong trousers^Wcookie; the cookie passed to ADD_STAT is not necessarily a memcached connection cookie; indeed in the case of KVBucket::snapshotStats() is is an instance of snapshot_stats_t.
As a result, this triggers a crash under AddressSanitizer as we treat a snapshot_stats_t object as a memcached connection cookie and call cookie_get_priority on it - this in turn attempts to dereference as a Cookie object and reads garbage data.