MDEV-37952: Fix crash when setting mroonga_default_tokenizer to NULL #4606
Conversation
|
|
storage/mroonga/mysql-test/mroonga/storage/t/variable_default_tokenizer_disable.test
Outdated
Show resolved
Hide resolved
Setting mroonga_default_tokenizer to NULL caused a server crash because the update function did not handle the NULL value before passing it to strcmp. Handle NULL values by treating them as "off" to allow safe variable reset.
|
I have applied the feedback to use DEFAULT and empty line formatting. |
gkodinov
added
the
External Contribution
- This PR fixes a SIGSEGV crash occurring when the system variable mroonga_default_tokenizer is set to NULL. - The crash was caused by passing a NULL pointer to strcmp() in the update function of the mroonga_default_tokenizer variable. **Changes** - Mapped NULL input to "off" behavior. - Included a test case to verify the fix. This is the same fix I submitted to MariaDB here: MariaDB/server#4606 --------- Co-authored-by: Sutou Kouhei <kou@cozmixng.org>
Align with existing mroonga memory management patterns to ensure consistency, rather than relying on the MariaDB framework default behavior.
|
Hi, I have applied the manual allocation changes for new_value in mrn_default_tokenizer_update as discussed, aligning with the memory management pattern used in the previous Mroonga PR. |
gkodinov
left a comment
gkodinov
left a comment
There was a problem hiding this comment.
Thank you for your contribution! This is a preliminary review.
| char **old_value_ptr = (char **)var_ptr; | ||
| grn_ctx *ctx = &mrn_ctx; | ||
|
|
||
| if(!new_value) { |
There was a problem hiding this comment.
Optional (as I realize most of the engine's string parameters are already behaving this way): I believe I do not quite like the silent substitution of NULL with "off". IMHO, if you don't want NULLs as arguments, then reject these.
There was a problem hiding this comment.
I understand your concern about silent substitution. My understanding is that "off" means the default tokenizer is set to NULL (disabled). So when a user passes NULL, it seems appropriate to treat it as an intention to disable the tokenizer by setting the value to "off", as suggested by @kou
There was a problem hiding this comment.
Yes. As a Mroonga maintainer, I choose this approach.
storage/mroonga/mysql-test/mroonga/storage/t/variable_default_tokenizer_disable.test
Show resolved
Hide resolved
storage/mroonga/mysql-test/mroonga/storage/t/variable_default_tokenizer_disable.test
Show resolved
Hide resolved
|
|
||
| if(!new_value) { | ||
| new_value = "off"; | ||
| #ifndef MRN_NEED_FREE_STRING_MEMALLOC_PLUGIN_VAR |
There was a problem hiding this comment.
you are going to call mrn_my_strdup() on this value below. Do you need to call it twice?
There was a problem hiding this comment.
I think it will not be called twice. From my understanding, when the macro MRN_NEED_FREE_STRING_MEMALLOC_PLUGIN_VAR exists, it means we need to free the variable before allocating a new one, and this happens in:
#ifdef MRN_NEED_FREE_STRING_MEMALLOC_PLUGIN_VAR
my_free(*old_value_ptr);
*old_value_ptr = mrn_my_strdup(new_value, MYF(MY_WME));
Otherwise, when the macro is off, it will not allocate the new value "off" which is in the static area, so when trying to free it later, it will cause a segmentation fault. This is in the MySQL case, so should I remove it? As the edit is in MariaDB, I updated it to be synchronized with Mroonga and to be consistent with other functions.
There was a problem hiding this comment.
You're allocating the new_value! That's not yet in old_value_ptr!
Also note that plugin_vars_free_values() will always my_free the value assigned anyway for all PLUGIN_VAR_MEMALLOC variables (such as this one). Thus, assigning a constant string literal So, I'd guess that it won't work sans MRN_NEED_FREE_STRING_MEMALLOC_PLUGIN_VAR. But please don't take my word for it. It looks like you never compile without it anyway.
There was a problem hiding this comment.
(Note that this code is not for MariaDB as hadeer-r already mentioned.)
It seems that you missed #ifndef and #ifdef differences.
This code is pre-processed like the following in MariaDB:
if(!new_value) {
new_value = "off";
}
// ...
my_free(*old_value_ptr);
*old_value_ptr = mrn_my_strdup(new_value, MYF(MY_WMF));This code is pre-processed like the following in MySQL:
if(!new_value) {
new_value = "off";
new_value = mrn_my_strdup(new_value, MYF(MY_WME));
}
// ...
*old_value_ptr = (char *)new_value;mrn_my_strdup() is never called twice.
Add copyright header to the test file. Disable the test in embedded mode by sourcing include/not_embedded.inc."
4 participants
Summary
This PR fixes a SIGSEGV crash occurring when the system variable mroonga_default_tokenizer is set to NULL. The fix introduces a safety check to handle NULL values gracefully by treating them as an "off" state, preventing invalid memory access during string comparison.
The crash was rooted in the update function for the mroonga_default_tokenizer variable. It lacked a validation step for NULL inputs before passing the value to strcmp().
Key Changes:
Fix: MDEV-37952