From: Frazer&nbsp;Clement
Date: January 10 2013 2:20pm
Subject: bzr push into mysql-5.1-telco-7.0 branch (frazer.clement:5067 to 5068)
 Bug#14537622
List-Archive: http://lists.mysql.com/commits/145595
X-Bug: 14537622
Message-Id: <201301101420.r0AEKLCg013848@acsmt356.oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 5068 Frazer Clement	2013-01-10
      Bug #14537622 	FORCED NODE SHUTDOWN COMPLETED. CAUSED BY ERROR 2339: SEND SIGNAL ERROR
      
      Signal trace shows a badly formed DUMP_STATE_ORD signal resulted in the
      crash.
      DUMP 1000 reports resource usage and is used by some customers from their
      monitoring middleware.  Perhaps a malformed request was made.
      This patch adds some validation to the received block reference, to ensure
      that the receiving node id is in range.
      This should make the DUMP 1000 handling more robust to misuse.

    modified:
      mysql-test/suite/ndb/r/ndb_mgm.result
      mysql-test/suite/ndb/t/ndb_mgm.test
      storage/ndb/src/kernel/blocks/cmvmi/Cmvmi.cpp
 5067 Mauritz Sundell	2013-01-10
      bump version back to 7.0.38

    modified:
      configure.in
      storage/ndb/ndb_configure.m4
=== modified file 'mysql-test/suite/ndb/r/ndb_mgm.result'
--- a/mysql-test/suite/ndb/r/ndb_mgm.result	2012-11-28 16:01:52 +0000
+++ b/mysql-test/suite/ndb/r/ndb_mgm.result	2013-01-10 13:52:29 +0000
@@ -91,6 +91,13 @@ Illegal argument -1
 ERROR: Illegal value '-1' in argument to signal.
 (Value must be between 0 and 0xffffffff.)
 
+Robustness issue with bug#14537622
+Data node must not crash here
+Sending dump signal with data:
+0x000003e8 0x000003e8 
+Sending dump signal with data:
+0x000003e8 0x000003e8 
+
 ALL DUMP 1
 Sending dump signal with data:
 0x00000001 

=== modified file 'mysql-test/suite/ndb/t/ndb_mgm.test'
--- a/mysql-test/suite/ndb/t/ndb_mgm.test	2012-11-28 16:01:52 +0000
+++ b/mysql-test/suite/ndb/t/ndb_mgm.test	2013-01-10 13:52:29 +0000
@@ -158,6 +158,10 @@ echo Illegal argument -1;
 --error 255
 exec $mgm_cmd -e "1 DUMP -1";
 
+echo Robustness issue with bug#14537622;
+echo Data node must not crash here;
+exec $mgm_cmd -e "ALL DUMP 1000 1000";
+
 echo ALL DUMP 1;
 exec $mgm_cmd -e "ALL DUMP 1 ";
 

=== modified file 'storage/ndb/src/kernel/blocks/cmvmi/Cmvmi.cpp'
--- a/storage/ndb/src/kernel/blocks/cmvmi/Cmvmi.cpp	2012-01-16 07:14:30 +0000
+++ b/storage/ndb/src/kernel/blocks/cmvmi/Cmvmi.cpp	2013-01-10 13:52:29 +0000
@@ -1461,6 +1461,19 @@ Cmvmi::execDUMP_STATE_ORD(Signal* signal
     {
       // Dump data and index memory to specific ref
       Uint32 result_ref = signal->theData[1];
+      /* Validate ref */
+      {
+        Uint32 node = refToNode(result_ref);
+        if (node == 0 || 
+            node >= MAX_NODES)
+        {
+          ndbout_c("Bad node in ref to DUMP %u : %u %u",
+                   DumpStateOrd::DumpPageMemory,
+                   node,
+                   result_ref);
+          return;
+        }
+      }
       reportDMUsage(signal, 0, result_ref);
       reportIMUsage(signal, 0, result_ref);
       return;

No bundle (reason: useless for push emails).