`lttng_register_trigger` samples the address of the lsm header in the
message payload. However, it does so before calling
`lttng_trigger_serialize()` which may increase the underlying buffer's
size (and cause a realloc()).
Most of the time the message buffer is large enough _or_ its realloc
yields the same address which hid the problem. However, I stumbled on
a case (a trigger which snapshots to a long location) where the realloc
ends-up returning a completely different address, causing invalid data
to be sent to the session daemon.
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: I8e4323dac778bc2a1af7b6e2cca42f6521abaee2
goto end;
}
- /*
- * This is needed to populate the trigger object size for the command
- * header.
- */
- message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
-
ret = lttng_trigger_serialize(trigger, &message);
if (ret < 0) {
ret = -LTTNG_ERR_UNK;
goto end;
}
+ /*
+ * This is needed to populate the trigger object size for the command
+ * header.
+ */
+ message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
+
message_lsm->u.trigger.length = (uint32_t) message.buffer.size - sizeof(lsm);
{