Skip to content

Commit

Permalink
libroach: ensure correct lifetime for resume_key on reverse iteration
Browse files Browse the repository at this point in the history
Fixes #32149.

Before this change, it was possible for `DBScanResults.resume_key` to
point into memory owned by `mvccScanner`, which went out of scope after
`MVCCScan` returned. This allowed for memory corruption when returning
the key to Go.

This change fixes this corruption by copying the memory to the `DBIterator`
before returning, which should have a lifetime which exceeds that of the
`DBScanResults`.

Release note: None
  • Loading branch information
nvanbenschoten committed Nov 19, 2018
1 parent 5449f84 commit 049fc0d
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 2 deletions.
1 change: 1 addition & 0 deletions c-deps/libroach/iterator.h
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ struct DBIterator {
std::unique_ptr<cockroach::chunkedBuffer> kvs;
std::unique_ptr<rocksdb::WriteBatch> intents;
std::unique_ptr<IteratorStats> stats;
std::string rev_resume_key;

rocksdb::ReadOptions read_opts;
std::string lower_bound_str;
Expand Down
13 changes: 11 additions & 2 deletions c-deps/libroach/mvcc.h
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,16 @@ template <bool reverse> class mvccScanner {
}

if (kvs_->Count() == max_keys_ && advanceKey()) {
results_.resume_key = ToDBSlice(cur_key_);
if (reverse) {
// It is possible for cur_key_ to be pointing into mvccScanner.saved_buf_
// instead of iter_rep_'s underlying storage if iterating in reverse (see
// iterPeekPrev), so copy the key onto the DBIterator struct to ensure it
// has a lifetime that outlives the DBScanResults.
iter_->rev_resume_key.assign(cur_key_.data(), cur_key_.size());
results_.resume_key = ToDBSlice(iter_->rev_resume_key);
} else {
results_.resume_key = ToDBSlice(cur_key_);
}
}

return fillResults();
Expand Down Expand Up @@ -199,7 +208,7 @@ template <bool reverse> class mvccScanner {
}

if (cur_value_.size() == 0) {
return setStatus(FmtStatus("zero-length mvcc metadata"));
return setStatus(FmtStatus("zero-length mvcc metadata"));
}

if (!meta_.ParseFromArray(cur_value_.data(), cur_value_.size())) {
Expand Down

0 comments on commit 049fc0d

Please sign in to comment.