Memcached segfault on increment
Janusz Dziemidowicz
janusz.dziemidowicz at nasza-klasa.pl
Wed Jun 18 18:39:59 UTC 2008
2008/6/18 Tomash Brechko <tomash.brechko at gmail.com>:
> On Wed, Jun 18, 2008 at 14:18:13 +0200, Janusz Dziemidowicz wrote:
>> ==12825== Invalid write of size 1
>> ==12825== at 0x4A1C979: memset (mc_replace_strmem.c:479)
>> ==12825== by 0x40336D: do_add_delta (memcached.c:1535)
>
> Quick glance reveals another possible bug, at line 1529:
>
> memcpy(ITEM_data(new_it) + res, "\r\n", 3);
Another thing I've found, probably has nothing to do with this
problem, but nevertheless. I'm using unix socket, so I was looking how
it is created, I've found this in function server_socket_unix():
if (!(listen_conn = conn_new(sfd, conn_listening,
EV_READ | EV_PERSIST, 1, false,
main_base))) {
fprintf(stderr, "failed to create listening connection\n");
exit(EXIT_FAILURE);
}
return 0;
Seems fine, but conn_new() does not set listen_conn->next and in
accept_new_conns() is this loop:
for (next = listen_conn; next; next = next->next) { ... }
so it depends on uninitialized memory.
--
Janusz Dziemidowicz
Administrator
nasza-klasa.pl
phone: +48500298526
email: janusz.dziemidowicz at nasza-klasa.pl
Nasza Klasa Sp. z o.o., ul. Dembowskiego 57/5, 51-670 Wrocław
Sąd Rejonowy dla Wrocławia-Fabrycznej we Wrocławiu, VI Wydział
Gospodarczy Krajowego Rejestru Sądowego,
nr KRS:0000289629, NIP:898-21-22-104, REGON:020586020
Kapitał zakładowy: 67850 PLN
More information about the memcached
mailing list