Fix: lttng-ctl: appending to dynamic buffer invalidates its data member
authorJérémie Galarneau <jeremie.galarneau@efficios.com>
Thu, 18 Feb 2021 23:13:19 +0000 (18:13 -0500)
committerJérémie Galarneau <jeremie.galarneau@efficios.com>
Thu, 18 Feb 2021 23:48:45 +0000 (18:48 -0500)
`lttng_register_trigger` samples the address of the lsm header in the
message payload. However, it does so before calling
`lttng_trigger_serialize()` which may increase the underlying buffer's
size (and cause a realloc()).

Most of the time the message buffer is large enough _or_ its realloc
yields the same address which hid the problem. However, I stumbled on
a case (a trigger which snapshots to a long location) where the realloc
ends-up returning a completely different address, causing invalid data
to be sent to the session daemon.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: I8e4323dac778bc2a1af7b6e2cca42f6521abaee2

src/lib/lttng-ctl/lttng-ctl.c

index d0a117f4be1dba076b877b226162cf74fbc71ac3..5b774e1d6bcbc1e9df4c01efc0e98634e1172e72 100644 (file)
@@ -3147,18 +3147,18 @@ int lttng_register_trigger(struct lttng_trigger *trigger)
                goto end;
        }
 
-       /*
-        * This is needed to populate the trigger object size for the command
-        * header.
-       */
-       message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
-
        ret = lttng_trigger_serialize(trigger, &message);
        if (ret < 0) {
                ret = -LTTNG_ERR_UNK;
                goto end;
        }
 
+       /*
+        * This is needed to populate the trigger object size for the command
+        * header.
+        */
+       message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
+
        message_lsm->u.trigger.length = (uint32_t) message.buffer.size - sizeof(lsm);
 
        {
This page took 0.0262 seconds and 4 git commands to generate.