From b22f4f54e95ae13edda1d4d5efd1e4845a6319c4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=A9mie=20Galarneau?= Date: Thu, 18 Feb 2021 18:13:19 -0500 Subject: [PATCH] Fix: lttng-ctl: appending to dynamic buffer invalidates its data member MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit `lttng_register_trigger` samples the address of the lsm header in the message payload. However, it does so before calling `lttng_trigger_serialize()` which may increase the underlying buffer's size (and cause a realloc()). Most of the time the message buffer is large enough _or_ its realloc yields the same address which hid the problem. However, I stumbled on a case (a trigger which snapshots to a long location) where the realloc ends-up returning a completely different address, causing invalid data to be sent to the session daemon. Signed-off-by: Jérémie Galarneau Change-Id: I8e4323dac778bc2a1af7b6e2cca42f6521abaee2 --- src/lib/lttng-ctl/lttng-ctl.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/lib/lttng-ctl/lttng-ctl.c b/src/lib/lttng-ctl/lttng-ctl.c index d0a117f4b..5b774e1d6 100644 --- a/src/lib/lttng-ctl/lttng-ctl.c +++ b/src/lib/lttng-ctl/lttng-ctl.c @@ -3147,18 +3147,18 @@ int lttng_register_trigger(struct lttng_trigger *trigger) goto end; } - /* - * This is needed to populate the trigger object size for the command - * header. - */ - message_lsm = (struct lttcomm_session_msg *) message.buffer.data; - ret = lttng_trigger_serialize(trigger, &message); if (ret < 0) { ret = -LTTNG_ERR_UNK; goto end; } + /* + * This is needed to populate the trigger object size for the command + * header. + */ + message_lsm = (struct lttcomm_session_msg *) message.buffer.data; + message_lsm->u.trigger.length = (uint32_t) message.buffer.size - sizeof(lsm); { -- 2.34.1