From: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Date: Thu, 2 Apr 2020 18:08:12 +0000 (-0400)
Subject: Fix: relayd: crash on creation of session by peer < 2.11
X-Git-Tag: v2.13.0-rc1~690
X-Git-Url: https://git.lttng.org/?p=lttng-tools.git;a=commitdiff_plain;h=d7a20fcf33143103aa58cf1b48f4507af2d09e70;hp=3f0c969023c8aa14ed2ad12a97a8a70e07254dc6

Fix: relayd: crash on creation of session by peer < 2.11

Observed issue
==============

A NULL pointer dereference occurs during the creation of
a session that is associated with a peer older than 2.11.

The resulting backtrace follows:

 Program terminated with signal SIGSEGV, Segmentation fault.

 #0  0x0000564af45b755b in lttng_trace_chunk_set_as_owner (chunk=0x7f8ca8004730, session_output_directory=0x7f8ca8004680) at trace-chunk.c:1033
 1033		if (chunk->path[0] != '\0') {
 [Current thread is 1 (Thread 0x7f8cb808d700 (LWP 7300))]

 #0  0x0000564af45b755b in lttng_trace_chunk_set_as_owner (chunk=0x7f8ca8004730, session_output_directory=0x7f8ca8004680) at trace-chunk.c:1033
 #1  0x0000564af45a6a78 in session_set_anonymous_chunk (session=0x7f8ca8001380) at session.c:229
 #2  session_create (session_name=<optimized out>, hostname=<optimized out>, base_path=<optimized out>, live_timer=<optimized out>, snapshot=<optimized out>,
     sessiond_uuid=<optimized out>, id_sessiond=<optimized out>, current_chunk_id=<optimized out>, creation_time=<optimized out>, major=<optimized out>,
     minor=<optimized out>, session_name_contains_creation_time=<optimized out>) at session.c:416
 #3  0x0000564af459207e in relay_create_session (conn=0x7f8ca0000f60, payload=<optimized out>, recv_hdr=<optimized out>) at main.c:1428
 #4  0x0000564af4594f12 in relay_process_control_command (payload=0x7f8cb808c940, header=0x7f8ca0001000, conn=0x7f8ca0000f60) at main.c:3218
 #5  relay_process_control_receive_payload (conn=0x7f8ca0000f60) at main.c:3361
 #6  0x0000564af45980b0 in relay_process_control (conn=0x7f8ca0000f60) at main.c:3478
 #7  relay_thread_worker (data=<optimized out>) at main.c:3927
 #8  0x00007f8cbba9a46f in start_thread () from /usr/lib/libpthread.so.0
 #9  0x00007f8cbb9ca3d3 in clone () from /usr/lib/libc.so.6

Cause
=====

lttng_trace_chunk_set_as_owner() correctly handles the case
where a trace chunk has no output path, but expects the path
to be an empty string rather than being NULL.

This is not correct as an anonymous chunk, created in backward
compatibility mode when interacting with older peers, has no
path; the path is transmitted as part of the streams' attributes
upon their creation.

Solution
========

Simply check for a NULL pointer in the same place where the empty
chunk path string is created. The rest of the code in trace-chunk.c
doesn't assume that the chunk's path is non-NULL.

Note
====

The problem was introduced during the 2.12 release cycle (clear
feature); this doesn't need to be backported.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Change-Id: Iaeb41e1648d61fbbe78d70b21191fd6d720900df
---

diff --git a/src/common/trace-chunk.c b/src/common/trace-chunk.c
index 8ac00c120..327929269 100644
--- a/src/common/trace-chunk.c
+++ b/src/common/trace-chunk.c
@@ -1030,7 +1030,7 @@ enum lttng_trace_chunk_status lttng_trace_chunk_set_as_owner(
 		status = LTTNG_TRACE_CHUNK_STATUS_ERROR;
 		goto end;
 	}
-	if (chunk->path[0] != '\0') {
+	if (chunk->path && chunk->path[0] != '\0') {
 		ret = lttng_directory_handle_create_subdirectory_as_user(
 				session_output_directory,
 				chunk->path,