Bug#21288106 - MISSING SANITY CHECK FOR STRDUP() IN HTTP.C PLUS POTENTIAL PROBLEM

Aakanksha Verma · Aakanksha Verma · commit 8c1c36bf48e8 · 2015-08-28T16:46:32.000+05:30
Sanity checks were missing in memcached code after memory allocations.

FIX

Put proper checks after memory alloction.MEMORY LEAK. *

Reviewed by :Jimmy
RB :10036
diff --git a/libevent/http.c b/libevent/http.c
@@ -1,6 +1,9 @@
 /*
  * Copyright (c) 2002-2006 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
+ * This file was modified by Oracle on 28-08-2015.
+ * Modifications copyright (c) 2015, Oracle and/or its affiliates.
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -105,6 +108,7 @@
 
 #define NI_NUMERICHOST 1
 #define NI_NUMERICSERV 2
+#define INNODB_CHANGED
 
 static int
 fake_getnameinfo(const struct sockaddr *sa, size_t salen, char *host, 
@@ -2400,6 +2404,14 @@ evhttp_set_cb(struct evhttp *http, const char *uri,
 		event_err(1, "%s: calloc", __func__);
 
 	http_cb->what = strdup(uri);
+
+#ifdef INNODB_CHANGED
+	if (http_cb->what == NULL) {
+		free(http_cb);
+		event_err(1, "%s: strdup",__func__);
+       }
+#endif
+
 	http_cb->cb = cb;
 	http_cb->cbarg = cbarg;
 
diff --git a/libevent/test/regress_http.c b/libevent/test/regress_http.c
@@ -1,6 +1,9 @@
 /*
  * Copyright (c) 2003-2006 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
+ * This file was modified by Oracle on 28-08-2015.
+ * Modifications copyright (c) 2015, Oracle and/or its affiliates.
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -57,6 +60,8 @@
 #include "log.h"
 #include "http-internal.h"
 
+#define INNODB_CHANGED
+
 extern int pair[];
 extern int test_ok;
 
@@ -278,6 +283,15 @@ http_chunked_cb(struct evhttp_request *req, void *arg)
 {
 	struct timeval when = { 0, 0 };
 	struct chunk_req_state *state = malloc(sizeof(struct chunk_req_state));
+
+#ifdef INNODB_CHANGED
+	if (!state) {
+		fprintf(stderr, "Unable to allocate memory in"
+				"http_chunked_cb...\n");
+		exit (1);
+	 }
+#endif
+
 	event_debug(("%s: called\n", __func__));
 
 	memset(state, 0, sizeof(struct chunk_req_state));
diff --git a/plugin/innodb_memcached/daemon_memcached/daemon/memcached.c b/plugin/innodb_memcached/daemon_memcached/daemon/memcached.c
@@ -5,6 +5,9 @@
  *       http://www.danga.com/memcached/
  *  Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
  *  Copyright 2003 Danga Interactive, Inc.  All rights reserved.
+ *  This file was modified by Oracle on 28-08-2015.
+ *  Modifications copyright (c) 2015, Oracle and/or its affiliates.
+ *  All rights reserved.
  *
  *  Use and distribution licensed under the BSD license.  See
  *  the LICENSE file for full text.
@@ -6430,6 +6433,15 @@ static void *new_independent_stats(void) {
     int ii;
     int nrecords = num_independent_stats();
     struct independent_stats *independent_stats = calloc(sizeof(independent_stats) + sizeof(struct thread_stats) * nrecords, 1);
+
+#ifdef INNODB_MEMCACHED
+    if (independent_stats == NULL) {
+	fprintf(stderr, "Unable to allocate memory for"
+		       "independent_stats...\n");
+       return (NULL);
+    }
+#endif
+
     if (settings.topkeys > 0)
         independent_stats->topkeys = topkeys_init(settings.topkeys);
     for (ii = 0; ii < nrecords; ii++)
@@ -7858,6 +7870,12 @@ int main (int argc, char **argv) {
 
     default_independent_stats = new_independent_stats();
 
+#ifdef INNODB_MEMCACHED
+    if (!default_independent_stats) {
+	exit(EXIT_FAILURE);
+    }
+#endif
+
 #ifndef __WIN32__
     /*
      * ignore SIGPIPE signals; we can use errno == EPIPE if we
diff --git a/plugin/innodb_memcached/innodb_memcache/src/innodb_api.c b/plugin/innodb_memcached/innodb_memcache/src/innodb_api.c
@@ -731,6 +731,11 @@ innodb_api_fill_value(
 		if (col_id == col_info[CONTAINER_VALUE].field_id) {
 
 			if (alloc_mem) {
+
+				/* when using innodb memcache the
+				code  will never come here becasue
+				we do not allocate memory for column
+				objects */
 				innodb_api_copy_mci(
 					read_tpl, col_id,
 					&item->col_value[MCI_COL_VALUE]);
diff --git a/plugin/innodb_memcached/innodb_memcache/src/innodb_engine.c b/plugin/innodb_memcached/innodb_memcache/src/innodb_engine.c
@@ -169,12 +169,12 @@ create_instance(
 	}
 
 	innodb_eng = malloc(sizeof(struct innodb_engine));
-	memset(innodb_eng, 0, sizeof(*innodb_eng));
 
 	if (innodb_eng == NULL) {
 		return(ENGINE_ENOMEM);
 	}
 
+	memset(innodb_eng, 0, sizeof(*innodb_eng));
 	innodb_eng->engine.interface.interface = 1;
 	innodb_eng->engine.get_info = innodb_get_info;
 	innodb_eng->engine.initialize = innodb_initialize;
@@ -887,21 +887,45 @@ innodb_conn_init(
 
 		memset(conn_data, 0, sizeof(*conn_data));
 		conn_data->result = malloc(sizeof(mci_item_t));
-		conn_data->conn_cookie = (void*) cookie;
-		UT_LIST_ADD_LAST(conn_list, engine->conn_data, conn_data);
-		engine->server.cookie->store_engine_specific(
-			cookie, conn_data);
+                if (!conn_data->result) {
+			UNLOCK_CONN_IF_NOT_LOCKED(has_lock, engine);
+			free(conn_data);
+			conn_data = NULL;
+			return(NULL);
+		}
 		conn_data->conn_meta = new_meta_info
 					 ? new_meta_info
 					 : engine->meta_info;
 		conn_data->row_buf = malloc(1024);
+                if (!conn_data->row_buf) {
+			UNLOCK_CONN_IF_NOT_LOCKED(has_lock, engine);
+			free(conn_data->result);
+			free(conn_data);
+			conn_data = NULL;
+			return(NULL);
+               }
 		conn_data->row_buf_len = 1024;
 
 		conn_data->cmd_buf = malloc(1024);
+                if (!conn_data->cmd_buf) {
+			UNLOCK_CONN_IF_NOT_LOCKED(has_lock, engine);
+			free(conn_data->row_buf);
+			free(conn_data->result);
+			free(conn_data);
+			conn_data = NULL;
+			return(NULL);
+               }
 		conn_data->cmd_buf_len = 1024;
 
 		conn_data->is_flushing = false;
 
+		conn_data->conn_cookie = (void*) cookie;
+
+		/* Add connection to the list after all memory allocations */
+		UT_LIST_ADD_LAST(conn_list, engine->conn_data, conn_data);
+		engine->server.cookie->store_engine_specific(
+			cookie, conn_data);
+
 		pthread_mutex_init(&conn_data->curr_conn_mutex, NULL);
 		UNLOCK_CONN_IF_NOT_LOCKED(has_lock, engine);
 	}
