From: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Date: Thu, 18 Feb 2021 23:13:19 +0000 (-0500)
Subject: Fix: lttng-ctl: appending to dynamic buffer invalidates its data member
X-Git-Tag: v2.13.0-rc1~323
X-Git-Url: http://git.lttng.org/?p=lttng-tools.git;a=commitdiff_plain;h=b22f4f54e95ae13edda1d4d5efd1e4845a6319c4

Fix: lttng-ctl: appending to dynamic buffer invalidates its data member

`lttng_register_trigger` samples the address of the lsm header in the
message payload. However, it does so before calling
`lttng_trigger_serialize()` which may increase the underlying buffer's
size (and cause a realloc()).

Most of the time the message buffer is large enough _or_ its realloc
yields the same address which hid the problem. However, I stumbled on
a case (a trigger which snapshots to a long location) where the realloc
ends-up returning a completely different address, causing invalid data
to be sent to the session daemon.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: I8e4323dac778bc2a1af7b6e2cca42f6521abaee2
---

diff --git a/src/lib/lttng-ctl/lttng-ctl.c b/src/lib/lttng-ctl/lttng-ctl.c
index d0a117f4b..5b774e1d6 100644
--- a/src/lib/lttng-ctl/lttng-ctl.c
+++ b/src/lib/lttng-ctl/lttng-ctl.c
@@ -3147,18 +3147,18 @@ int lttng_register_trigger(struct lttng_trigger *trigger)
 		goto end;
 	}
 
-	/*
-	 * This is needed to populate the trigger object size for the command
-	 * header.
-	*/
-	message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
-
 	ret = lttng_trigger_serialize(trigger, &message);
 	if (ret < 0) {
 		ret = -LTTNG_ERR_UNK;
 		goto end;
 	}
 
+	/*
+	 * This is needed to populate the trigger object size for the command
+	 * header.
+	 */
+	message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
+
 	message_lsm->u.trigger.length = (uint32_t) message.buffer.size - sizeof(lsm);
 
 	{