The CTF message iterator accesses the `stored_values` array out of
bounds in the following situation:
- In the context of a src.ctf.lttng-live source, a ctf_trace_class gets
created from some metadata.
- At this point, ctf_trace_class->stored_value_count indicates that a
certain number of stored values are necessary given the metadata
parsed up to now.
- The message iterators are created with `stored_values` arrays of that
size.
- The source receives more metadata, which requires more stored
values.
- The message iterator reads some event described by the new metadata,
that requires the use of a stored value.
- Since the stored value arrays have not been resized to reflect the
necessary number of stored value considering the new metadata, the
message iterator tries to store a value past the end of the array.
Fix this by ensuring the `stored_values` array is large enough before
storing a value in it.
Add a test with a hand-crafted trace that replicates the scenario
described in the simplest manner possible:
- send a bit of metadata
- send a bit of data that uses that metadata
- send a bit more metadata (that requires a new stored value)
- send a bit of data that uses that new metadata
Without the fix, we get (when babeltrace is built in debug mode):
(╯°□°)╯︵ ┻━┻ /home/smarchi/src/babeltrace/src/plugins/ctf/common/msg-iter/msg-iter.cpp:1865: bfcr_unsigned_int_cb(): Assertion `(uint64_t) int_fc->storing_index < msg_it->stored_values->len` failed.
... showing the out of bounds array access.
Change-Id: I78e3ca57ac6cae1959425df3c8ffdbfeb534f348
Signed-off-by: Simon Marchi <simon.marchi@efficios.com>
Reviewed-on: https://review.lttng.org/c/babeltrace/+/10866
Reviewed-by: Philippe Proulx <eeppeliteloop@gmail.com>
Tested-by: jenkins <jenkins@lttng.org>
projects / babeltrace.git / commitdiff
