libmemcache segfault / memory leak in 1.2.3 (patch to fix included)

John McCaskey johnm at klir.com
Wed Mar 16 09:29:00 PST 2005 

Sergio, Sean & everyone,

Sergio was experiencing an unusual segfault in my php extension, and
I've tracked it down into the internals of libmemcache.  Since users are
experiencing this issue in actual use I thought it best to immediately
forward a potential fix to the entire list.  Hope you don't mind Sean!

The problem is that the internally allocated buffer used to be at the
memcache struct level, but moved to the server struct level.  Yet, the
cleanup was still being performed at the mcm_free() level rather than
the mcm_server_free() level.

There were 2 errors with this approach, one only the last server in the
list got its buffer freed, all other memory leaked.  Two, there was no
check to ensure that the list of servers was not empty, and as such the
free would occur on a null pointer in this situation and a segfault
would ensue.

I have patched this to perform the free inside of mcm_server_free on a
per server basis and this fixes both errors.  See attached patch which
is against libmemcache-1.2.3.


On Tue, 2005-03-15 at 19:32 -0800, Sergio Salvatore wrote:
> John,
> 
> Excellent.  I'm glad it's making more sense now. 
> Thanks so much for your hard work.  Please don't
> hesitate to let me know if there's anything I can do
> to help test...
> 
> /sergio
> 
> 
> --- John McCaskey <johnm at klir.com> wrote:
> 
> > Sergio,
> > 
> > Wow, I can reproduce it now!  I think it may have
> > something to do with
> > an invalid hostname vs a connection refused.  I'm
> > about to leave the
> > office for the night, but I'll try to look at this
> > some more later
> > tonight or at least tommorow morning and get a fix
> > out.  Hopefully it's
> > not an issue in libmemcache itself, but if it is
> > I'll try to send a
> > patch out for that as well.
> > 
> > On Tue, 2005-03-15 at 16:20 -0800, Sergio Salvatore
> > wrote:
> > > John,
> > > 
> > > Thanks for the prompt response.  You're totally
> > right
> > > about the error logs---I should have included that
> > in
> > > my original message.  Here is what's in apache's
> > > error_log:
> > > 
> > > httpd: memcache: host memcachehost does not exist:
> > > Name or service not known.  Not adding to server
> > > list.: Success
> > > httpd:
> > > /home/sergio/src/libmemcache-1.2.3/memcache.c:676 
> >    
> > >   Unable to find a valid server
> > > httpd:
> > > /home/sergio/src/libmemcache-1.2.3/memcache.c:2145
> >    
> > >   Unable to find a valid server
> > > 
> > > For the bug test I was just trying to connect to a
> > > single remote server.  But it didn't seem to
> > matter
> > > how many servers there were---as long as none of
> > them
> > > were available.
> > > 
> > > From what I can see in the debug output---it does
> > look
> > > like libmemcache is complaining---but I wonder if
> > it's
> > > reporting this in a sane way to mcache---but I'm
> > sure
> > > you would know that better than I.  :)
> > > 
> > > Let me know if there's any way I can help.
> > > 
> > > Thanks!
> > > 
> > > /sergio
> > > 
> > > 
> > > --- John McCaskey <johnm at klir.com> wrote:
> > > > Sergio,
> > > > 
> > > > First, thanks for the bug report, I'd certainly
> > like
> > > > to look into it.
> > > > 
> > > > Is there any error info getting logged?  I can't
> > > > reproduce this just but
> > > > shutting down my memcache servers... It may be a
> > bug
> > > > in libmemcache
> > > > itself, libmemcache just does error logging to
> > > > stderr presently and
> > > > can't be redirected, so you should be able to
> > look
> > > > at your apache error
> > > > log file and see it.  Can you cut and paste what
> > you
> > > > see?
> > > > 
> > > > Also can you provide some details on the server
> > > > setup?  How many
> > > > memcache instances do you try to connect to? are
> > > > they local? remote?
> > > > 
> > > > Thanks.
> > > > 
> > > > On Tue, 2005-03-15 at 15:50 -0800, Sergio
> > Salvatore
> > > > wrote:
> > > > > John,
> > > > > 
> > > > > I hope this message finds you well.  First,
> > thanks
> > > > for
> > > > > the great work on the mcache php extension! 
> > It's
> > > > a
> > > > > great implementation.
> > > > > 
> > > > > I'm running into one very reproduceable
> > problem. 
> > > > When
> > > > > testing, if all my memcached instances are
> > down,
> > > > > apache segfaults and the error log shows that
> > > > mcache
> > > > > doesn't like that it can't find any servers. 
> > Of
> > > > > course, all the memcache instances being down
> > is
> > > > very
> > > > > unlikely, but the segfaults are not
> > desireable.
> > > > > 
> > > > > I was thinking that the get() method could
> > simply
> > > > > return false under this condition.
> > > > > 
> > > > > FYI, I'm using mcache 1.1.2 (as a shared
> > module)
> > > > with
> > > > > libmemcache 1.2.3 and memcached 1.1.11 on
> > RedHat
> > > > ES 3.
> > > > >  PHP version 4.3.10 statically compiled into
> > > > Apache
> > > > > 1.3.33.
> > > > > 
> > > > > Any ideas on how to fix this?
> > > > > 
> > > > > Thanks in advance for your help.
> > > > > 
> > > > > Sincerely,
> > > > > 
> > > > > Sergio Salvatore
> > > > > 
> > > > > 
> > > > > 		
> > > > > __________________________________ 
> > > > > Do you Yahoo!? 
> > > > > Yahoo! Small Business - Try our new resources
> > > > site!
> > > > > http://smallbusiness.yahoo.com/resources/ 
> > > > -- 
> > > > John A. McCaskey
> > > > Software Development Engineer
> > > > Klir Technologies, Inc.
> > > > johnm at klir.com
> > > > 206.902.2027
> > > > 
> > > 
> > > 
> > > 		
> > > __________________________________ 
> > > Do you Yahoo!? 
> > > Read only the mail you want - Yahoo! Mail
> > SpamGuard. 
> > > http://promotions.yahoo.com/new_mail 
> > -- 
> > John A. McCaskey
> > Software Development Engineer
> > Klir Technologies, Inc.
> > johnm at klir.com
> > 206.902.2027
> > 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Yahoo! Mail - now with 250MB free storage. Learn more. 
> http://info.mail.yahoo.com/mail_250
-- 
John A. McCaskey
Software Development Engineer
Klir Technologies, Inc.
johnm at klir.com
206.902.2027
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libmemcache-1.2.3-memory_fixes.patch
Type: text/x-patch
Size: 1098 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/memcached/attachments/20050316/043750a6/libmemcache-1.2.3-memory_fixes-0001.bin

More information about the memcached mailing list