Fix: lttng-ctl: appending to dynamic buffer invalidates its data member

`lttng_register_trigger` samples the address of the lsm header in the
message payload. However, it does so before calling
`lttng_trigger_serialize()` which may increase the underlying buffer's
size (and cause a realloc()).

Most of the time the message buffer is large enough _or_ its realloc
yields the same address which hid the problem. However, I stumbled on
a case (a trigger which snapshots to a long location) where the realloc
ends-up returning a completely different address, causing invalid data
to be sent to the session daemon.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: I8e4323dac778bc2a1af7b6e2cca42f6521abaee2

diff --git a/src/lib/lttng-ctl/lttng-ctl.c b/src/lib/lttng-ctl/lttng-ctl.c
index d0a117f4be1dba076b877b226162cf74fbc71ac3..5b774e1d6bcbc1e9df4c01efc0e98634e1172e72 100644 (file)
--- a/src/lib/lttng-ctl/lttng-ctl.c
+++ b/src/lib/lttng-ctl/lttng-ctl.c
@@ -3147,18 +3147,18 @@ int lttng_register_trigger(struct lttng_trigger *trigger)
                goto end;
        }
 
                goto end;
        }
 

-       /*
-        * This is needed to populate the trigger object size for the command
-        * header.
-       */
-       message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
-

        ret = lttng_trigger_serialize(trigger, &message);
        if (ret < 0) {
                ret = -LTTNG_ERR_UNK;
                goto end;
        }
 
        ret = lttng_trigger_serialize(trigger, &message);
        if (ret < 0) {
                ret = -LTTNG_ERR_UNK;
                goto end;
        }
 

+       /*
+        * This is needed to populate the trigger object size for the command
+        * header.
+        */
+       message_lsm = (struct lttcomm_session_msg *) message.buffer.data;
+

        message_lsm->u.trigger.length = (uint32_t) message.buffer.size - sizeof(lsm);
 
        {
        message_lsm->u.trigger.length = (uint32_t) message.buffer.size - sizeof(lsm);
 
        {