ndb - bug#34107 patch 1, kernel

ndb/src/kernel/blocks/dbtup/Dbtup.hpp:
  bug#34107 check stored proc overflow
ndb/src/kernel/blocks/dbtup/DbtupExecQuery.cpp:
  bug#34107 check stored proc overflow
ndb/src/kernel/blocks/dbtup/DbtupStoredProcDef.cpp:
  bug#34107 check stored proc overflow
ndb/src/ndbapi/ndberror.c:
  bug#34107 check stored proc overflow

4 files changed, 23 insertions, 6 deletions

diff --git a/ndb/src/kernel/blocks/dbtup/Dbtup.hpp b/ndb/src/kernel/blocks/dbtup/Dbtup.hpp
index a80f4542fee..829156ef15a 100644
--- a/ndb/src/kernel/blocks/dbtup/Dbtup.hpp
+++ b/ndb/src/kernel/blocks/dbtup/Dbtup.hpp
@@ -198,6 +198,7 @@
 #define ZUNSUPPORTED_BRANCH 892
 
 #define ZSTORED_SEIZE_ATTRINBUFREC_ERROR 873 // Part of Scan
+#define ZSTORED_TOO_MUCH_ATTRINFO_ERROR 874
 
 #define ZREAD_ONLY_CONSTRAINT_VIOLATION 893
 #define ZVAR_SIZED_NOT_SUPPORTED 894
@@ -2173,7 +2174,8 @@ private:
                      Operationrec* regOperPtr,
                      Uint32 lenAttrInfo);
   void storedSeizeAttrinbufrecErrorLab(Signal* signal,
-                                       Operationrec* regOperPtr);
+                                       Operationrec* regOperPtr,
+                                       Uint32 errorCode);
   bool storedProcedureAttrInfo(Signal* signal,
                                Operationrec* regOperPtr,
                                Uint32 length,
diff --git a/ndb/src/kernel/blocks/dbtup/DbtupExecQuery.cpp b/ndb/src/kernel/blocks/dbtup/DbtupExecQuery.cpp
index 298fb183bc3..9ab4fb34827 100644
--- a/ndb/src/kernel/blocks/dbtup/DbtupExecQuery.cpp
+++ b/ndb/src/kernel/blocks/dbtup/DbtupExecQuery.cpp
@@ -77,6 +77,14 @@ void Dbtup::copyAttrinfo(Signal* signal,
     RbufLen = copyAttrBufPtr.p->attrbuf[ZBUF_DATA_LEN];
     Rnext = copyAttrBufPtr.p->attrbuf[ZBUF_NEXT];
     Rfirst = cfirstfreeAttrbufrec;
+    /*
+     * ATTRINFO comes from 2 mutually exclusive places:
+     * 1) TUPKEYREQ (also interpreted part)
+     * 2) STORED_PROCREQ before scan start
+     * Assert here that both have a check for overflow.
+     * The "<" instead of "<=" is intentional.
+     */
+    ndbrequire(RinBufIndex + RbufLen < ZATTR_BUFFER_SIZE);
     MEMCOPY_NO_WORDS(&inBuffer[RinBufIndex],
                      &copyAttrBufPtr.p->attrbuf[0],
                      RbufLen);
diff --git a/ndb/src/kernel/blocks/dbtup/DbtupStoredProcDef.cpp b/ndb/src/kernel/blocks/dbtup/DbtupStoredProcDef.cpp
index 37fcd3df317..f4215b6da7d 100644
--- a/ndb/src/kernel/blocks/dbtup/DbtupStoredProcDef.cpp
+++ b/ndb/src/kernel/blocks/dbtup/DbtupStoredProcDef.cpp
@@ -108,6 +108,11 @@ void Dbtup::scanProcedure(Signal* signal,
   regOperPtr->attrinbufLen = lenAttrInfo;
   regOperPtr->currentAttrinbufLen = 0;
   regOperPtr->pageOffset = storedPtr.i;
+  if (lenAttrInfo >= ZATTR_BUFFER_SIZE) { // yes ">="
+    jam();
+    // send REF and change state to ignore the ATTRINFO to come
+    storedSeizeAttrinbufrecErrorLab(signal, regOperPtr, ZSTORED_TOO_MUCH_ATTRINFO_ERROR);
+  }
 }//Dbtup::scanProcedure()
 
 void Dbtup::copyProcedure(Signal* signal,
@@ -146,7 +151,7 @@ bool Dbtup::storedProcedureAttrInfo(Signal* signal,
   Uint32 RnoFree = cnoFreeAttrbufrec;
   if (ERROR_INSERTED(4004) && !copyProcedure) {
     CLEAR_ERROR_INSERT_VALUE;
-    storedSeizeAttrinbufrecErrorLab(signal, regOperPtr);
+    storedSeizeAttrinbufrecErrorLab(signal, regOperPtr, ZSTORED_SEIZE_ATTRINBUFREC_ERROR);
     return false;
   }//if
   regOperPtr->currentAttrinbufLen += length;
@@ -162,7 +167,7 @@ bool Dbtup::storedProcedureAttrInfo(Signal* signal,
     regAttrPtr.p->attrbuf[ZBUF_NEXT] = RNIL;
   } else {
     ljam();
-    storedSeizeAttrinbufrecErrorLab(signal, regOperPtr);
+    storedSeizeAttrinbufrecErrorLab(signal, regOperPtr, ZSTORED_SEIZE_ATTRINBUFREC_ERROR);
     return false;
   }//if
   if (regOperPtr->firstAttrinbufrec == RNIL) {
@@ -190,7 +195,7 @@ bool Dbtup::storedProcedureAttrInfo(Signal* signal,
   }//if
   if (ERROR_INSERTED(4005) && !copyProcedure) {
     CLEAR_ERROR_INSERT_VALUE;
-    storedSeizeAttrinbufrecErrorLab(signal, regOperPtr);
+    storedSeizeAttrinbufrecErrorLab(signal, regOperPtr, ZSTORED_SEIZE_ATTRINBUFREC_ERROR);
     return false;
   }//if
 
@@ -211,7 +216,8 @@ bool Dbtup::storedProcedureAttrInfo(Signal* signal,
 }//Dbtup::storedProcedureAttrInfo()
 
 void Dbtup::storedSeizeAttrinbufrecErrorLab(Signal* signal,
-                                            Operationrec* regOperPtr)
+                                            Operationrec* regOperPtr,
+                                            Uint32 errorCode)
 {
   StoredProcPtr storedPtr;
   c_storedProcPool.getPtr(storedPtr, (Uint32)regOperPtr->pageOffset);
@@ -222,7 +228,7 @@ void Dbtup::storedSeizeAttrinbufrecErrorLab(Signal* signal,
   regOperPtr->lastAttrinbufrec = RNIL;
   regOperPtr->transstate = ERROR_WAIT_STORED_PROCREQ;
   signal->theData[0] = regOperPtr->userpointer;
-  signal->theData[1] = ZSTORED_SEIZE_ATTRINBUFREC_ERROR;
+  signal->theData[1] = errorCode;
   signal->theData[2] = regOperPtr->pageOffset;
   sendSignal(regOperPtr->userblockref, GSN_STORED_PROCREF, signal, 3, JBB);
 }//Dbtup::storedSeizeAttrinbufrecErrorLab()
diff --git a/ndb/src/ndbapi/ndberror.c b/ndb/src/ndbapi/ndberror.c
index 4c60e384e6c..27b640489f6 100644
--- a/ndb/src/ndbapi/ndberror.c
+++ b/ndb/src/ndbapi/ndberror.c
@@ -291,6 +291,7 @@ ErrorBundle ErrorCodes[] = {
   { 242,  AE, "Zero concurrency in scan"},
   { 244,  AE, "Too high concurrency in scan"},
   { 269,  AE, "No condition and attributes to read in scan"},
+  { 874,  AE, "Too much attrinfo (e.g. scan filter) for scan in tuple manager" },
   { 4600, AE, "Transaction is already started"},
   { 4601, AE, "Transaction is not started"},
   { 4602, AE, "You must call getNdbOperation before executeScan" },