Uploaded image for project: 'Couchbase C client library libcouchbase'
  1. Couchbase C client library libcouchbase
  2. CCBC-164

Concurrent access to continuum can cause invalid memory reference when servers are removed

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: library
    • Security Level: Public
    • Labels:
      None

      Description

      In libvbucket/vbucket.c lines 121/122, function update_ketama_continuum first updates the array pointer, and then the counter.

      In lines 615/616, function vbucket_map reads both the array pointer and the counter to determine the boundaries of the memory to scan.

      In the (rare) event that a server is removed and thread A executes update_ketama_continuum line 121 with a smaller array and then blocks, a second thread B could execute vbucket_map, read the new array pointer and the (larger) size of the old array, and access memory that has been freed.

      A similar issue exists in (some versions of) libmemcached code. To fix this, one could change the code to use a pointer to a struct which contains both the array and its size, or place both the array pointer and the size adjacent in memory and use an atomic operation to update both simultaneously ( less portable )

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              trond Trond Norbye
              Reporter:
              jbemmel Jeroen van Bemmel
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews

                There are no open Gerrit changes