You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "Raul Gutierrez Segales (JIRA)" <ji...@apache.org> on 2015/05/08 21:37:01 UTC

[jira] [Created] (ZOOKEEPER-2186) QuorumCnxManager#receiveConnection

Raul Gutierrez Segales created ZOOKEEPER-2186:
-------------------------------------------------

             Summary: QuorumCnxManager#receiveConnection
                 Key: ZOOKEEPER-2186
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2186
             Project: ZooKeeper
          Issue Type: Bug
          Components: server
            Reporter: Raul Gutierrez Segales
            Assignee: Raul Gutierrez Segales
             Fix For: 3.4.7, 3.5.1, 3.6.0


This will allocate an arbitrarily large byte buffer (and try to read it!):

{code}
    public boolean receiveConnection(Socket sock) {
        Long sid = null;
...
                sid = din.readLong();
                // next comes the #bytes in the remainder of the message                                                                             
                int num_remaining_bytes = din.readInt();
                byte[] b = new byte[num_remaining_bytes];
                // remove the remainder of the message from din                                                                                      
                int num_read = din.read(b);
{code}

This will crash the QuorumCnxManager thread, so the cluster will keep going but future elections might fail to converge (ditto for leaving/joining members). 

Patch coming up in a bit.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)