OpenSAF / Tickets / #3232 ntf: ntfimcnd crashes when create an object with SA

#3232 ntf: ntfimcnd crashes when create an object with SA_NOTIFY flag

Milestone: 5.20.11

Status: fixed

Owner: Nghiem Xuan Nhat Quang

Labels: None

Type: defect

Component: ntf

Part: -

Version:

Priority: major

Blocker: False

Updated: 2020-11-11

Created: 2020-11-05

Creator: Nghiem Xuan Nhat Quang

Private: No

Reproduce
1. Import a class having string value with SA_NOTIFY flag as below

<?xml version="1.0" encoding="utf-8"?>
<imm:IMM-contents>
    <class name="TestFlag">
        <category>SA_CONFIG</category>
        <rdn>
            <name>testFlag</name>
            <type>SA_STRING_T</type>
            <category>SA_CONFIG</category>
            <flag>SA_INITIALIZED</flag>
        </rdn>
        <attr>
            <name>notify</name>
            <type>SA_STRING_T</type>
            <category>SA_CONFIG</category>
            <flag>SA_WRITABLE</flag>
            <flag>SA_NOTIFY</flag>
        </attr>
    </class>
</imm:IMM-contents>

2.Create an object having a size of value over ~65000 characters by using this script

#!/bin/bash
value=""
for ((i = 0 ; i < 66000; i++)); do
        value+="a"
done
immcfg -c TestFlag -a notify="$value" testFlag=1

Backtrace

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f41ea0a58b1 in __GI_abort () at abort.c:79
#2  0x00007f41ea0ee907 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f41ea21bdfa "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007f41ea0f597a in malloc_printerr (str=str@entry=0x7f41ea21a133 "realloc(): invalid next size") at malloc.c:5350
#4  0x00007f41ea0faa24 in _int_realloc (av=av@entry=0x7f41dc000020, oldp=oldp@entry=0x7f41dc004f60, oldsize=oldsize@entry=560, nb=nb@entry=576)
    at malloc.c:4534
#5  0x00007f41ea0fe00b in __GI___libc_realloc (oldmem=0x7f41dc004f70, bytes=554) at malloc.c:3230
#6  0x00007f41eb3b628a in ntfsv_ptr_val_alloc (vd=vd@entry=0x55af73400ee8, nv=nv@entry=0x55af733fe388, data_size=data_size@entry=14,
    data_ptr=data_ptr@entry=0x7fff5784f898) at src/ntf/common/ntfsv_mem.c:911
#7  0x00007f41ead6e30a in saNtfPtrValAllocate (notificationHandle=notificationHandle@entry=4286578692, dataSize=dataSize@entry=14,
    dataPtr=dataPtr@entry=0x7fff5784f898, value=value@entry=0x55af733fe388) at src/ntf/agent/ntfa_api.c:2887
#8  0x000055af719e952f in fill_additional_info (notificationHandle=4286578692, additionalInfo=<optimized out>,
    info_value=info_value@entry=0x55af719ed32a "SaImmOiCcbIdT", add_index=add_index@entry=2) at src/ntf/ntfimcnd/ntfimcn_notifier.c:194
#9  0x000055af719ea5a4 in fill_attribute_info_create (ccbLast=<optimized out>, rdn_attr_name=0x7f41dc003ef0 "testFlag",
    SaNtfObjectCreateNotification=0x7fff5784f920, imm_attribute_values=<optimized out>, CcbId=<optimized out>) at src/ntf/ntfimcnd/ntfimcn_notifier.c:663
#10 ntfimcn_send_object_create_notification (CcbUtilOperationData=CcbUtilOperationData@entry=0x55af733ffeb0, rdn_attr_name=0x7f41dc003ef0 "testFlag",
    ccbLast=ccbLast@entry=SA_TRUE) at src/ntf/ntfimcnd/ntfimcn_notifier.c:1288
#11 0x000055af719eca62 in saImmOiCcbApplyCallback (immOiHandle=<optimized out>, ccbId=<optimized out>) at src/ntf/ntfimcnd/ntfimcn_imm.c:694
---Type <return> to continue, or q <return> to quit---
#12 0x00007f41eab599a5 in imma_process_callback_info (cb=cb@entry=0x7f41ead65300 <imma_cb>, cl_node=<optimized out>,
    callback=callback@entry=0x7f41dc004de0, immHandle=<optimized out>) at src/imm/agent/imma_proc.cc:2503
#13 0x00007f41eab5bf59 in imma_hdl_callbk_dispatch_all (cb=0x7f41ead65300 <imma_cb>, immHandle=<optimized out>) at src/imm/agent/imma_proc.cc:1832
#14 0x00007f41eab50617 in saImmOiDispatch (immOiHandle=<optimized out>, dispatchFlags=SA_DISPATCH_ALL) at src/imm/agent/imma_oi_api.cc:642
#15 0x000055af719e91c2 in main (argc=<optimized out>, argv=<optimized out>) at src/ntf/ntfimcnd/ntfimcn_main.c:161

Nghiem Xuan Nhat Quang - 2020-11-05

Component: unknown --> ntf
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nghiem Xuan Nhat Quang - 2020-11-11

status: accepted --> review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nghiem Xuan Nhat Quang - 2020-11-11

status: review --> fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

commit 135319d4fed6f60447cf4767da2e9b7ea9807386 (HEAD -> develop, origin/develop)
Author: quang.xn.nghiem <quang.xn.nghiem@dektech.com.au>
Date:   Tue Nov 10 17:53:04 2020 +0700

    ntf: fix coredump while creating object having string value, SA_NOTIFY [#3232]

    When create or modify an object having size of attribute value over 65535,
    this actual size will be truncated because dataSize of saNtfPtrValAllocate
    is SaUint16T (from 0 to 65535). Thus, after saNtfPtrValAllocate's invoked,
    the attribute value is assigned to the memory allocated with the actual
    size over 65535 and cause a memory corruption.
    Solution is prevent the size of data and log a warning if is's over 65535.

ntf: ntfimcnd crashes when create an object with SA_NOTIFY flag

Milestone

Searches

Help

#3232 ntf: ntfimcnd crashes when create an object with SA_NOTIFY flag

Related

Discussion