Skip to content

Commit 402421e

Browse files
daverigbytrondn
daverigby
authored and
trondn
committed
Fix buffer overrun in iterator_functional_test
As identified during AArch64 testing with UBSan, iterator_functional_test passes a keylen larger than the actual key buffer. This results in a buffer overflow when that key is copied: ==21818==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000059e8c9 at pc 0xffffbe28b9c0 bp 0xfffff0404040 sp 0xfffff0404098 READ of size 10 at 0x00000059e8c9 thread T0 #0 0xffffbe28b9bc in __interceptor_memcpy (/opt/gcc-10.2.0/lib64/libasan.so.6+0x399bc) #1 0x4c4d54 in fdb_iterator_init ../forestdb/src/iterator.cc:199 #2 0x54c950 in reverse_seek_to_max_nokey() ../forestdb/tests/functional/iterator_functional_test.cc:3047 #3 0x55e5d4 in main ../forestdb/tests/functional/iterator_functional_test.cc:4281 #4 0xffffbd100ce0 in __libc_start_main (/lib64/libc.so.6+0x1fce0) #5 0x404bac (/home/couchbase/server/build/forestdb/tests/functional/iterator_functional_test+0x404bac) 0x00000059e8c9 is located 0 bytes to the right of global variable '*.LC159' defined in '../forestdb/tests/functional/iterator_functional_test.cc' (0x59e8c0) of size 9 '*.LC159' is ascii string 'doc-029b' Change-Id: I3ecd355c9fc85960717ef309b4ba75f83268e2b8 Reviewed-on: http://review.couchbase.org/c/forestdb/+/159306 Tested-by: Build Bot <[email protected]> Reviewed-by: Trond Norbye <[email protected]>
1 parent 3018d2d commit 402421e

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

tests/functional/iterator_functional_test.cc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3045,7 +3045,7 @@ void reverse_seek_to_max_nokey(void)
30453045

30463046
// set range to have end key that does not exist
30473047
status = fdb_iterator_init(db, &iterator, doc[24]->key, 10,
3048-
(void*)"doc-029b", 10,
3048+
(void*)"doc-029b", 8,
30493049
FDB_ITR_NO_DELETES);
30503050
TEST_CHK(status == FDB_RESULT_SUCCESS);
30513051

@@ -3061,7 +3061,7 @@ void reverse_seek_to_max_nokey(void)
30613061
fdb_iterator_close(iterator);
30623062

30633063
// set range to have start key that does not exist
3064-
status = fdb_iterator_init(db, &iterator, (void*)"doc-024b", 10,
3064+
status = fdb_iterator_init(db, &iterator, (void*)"doc-024b", 8,
30653065
doc[30]->key, 10,
30663066
FDB_ITR_NO_DELETES);
30673067
TEST_CHK(status == FDB_RESULT_SUCCESS);

0 commit comments

Comments
 (0)