lttng-ctl: fix: lttng_data_pending confuses communication status

lttng_ctl_ask_sessiond can return a positive value even though it
failed to receive the variable length payload of a session message
reply. In this case, lttng_ctl_ask_sessiond ends up calling into
lttng_ctl_ask_sessiond_fds_varlen() which will return the (negated)
error code returned by the session daemon if it was not LTTNG_OK.

The peer could return anything here, which lttng_data_pending will end
up interpreting as the length of the variable data that was received.

In this case, if the sessiond returns '-1', '1' will be returned to
lttng_data_pending, which it will interpret as being the length of the
'data_pending' byte flag. It will then dereference 'pending', which is
NULL, and (most likely) crash.

Check for NULL on top of checking for the return code. This
communication layer needs love as much as it needs a bulldozer.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>

diff --git a/src/lib/lttng-ctl/lttng-ctl.c b/src/lib/lttng-ctl/lttng-ctl.c
index 87081390175f346fb8d7b117e4439c6483d21faa..1a6e75acfea4286e8b8c5a6dddb25225190e8d7d 100644 (file)
--- a/src/lib/lttng-ctl/lttng-ctl.c
+++ b/src/lib/lttng-ctl/lttng-ctl.c
@@ -2229,6 +2229,10 @@ int lttng_data_pending(const char *session_name)
                /* Unexpected payload size */
                ret = -LTTNG_ERR_INVALID;
                goto end;
+       } else if (!pending) {
+               /* Internal error. */
+               ret = -LTTNG_ERR_UNK;
+               goto end;
        }
 
        ret = (int) *pending;