diff options
author | dormando <dormando@rydia.net> | 2022-12-01 22:03:11 -0800 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2022-12-01 22:03:11 -0800 |
commit | 683bb98a55ba19f69c4e2a60b9104ed2edc971c3 (patch) | |
tree | f5795b64e0433b8ccd21d56f5005af0bf66219d3 /proxy_lua.c | |
parent | 5468b726004aa9651ad77ec3db2dbb9859137b53 (diff) | |
download | memcached-683bb98a55ba19f69c4e2a60b9104ed2edc971c3.tar.gz |
proxy: lua registry corruption on data chunk error
This was a nightmare to debug; I need some better tools here.
1) There's a helper routine that ensures the lua coroutine is cleared up
if an error happens while handling the network/etc.
2) On reading the value data from a set request, there's one last error
that can happen before the coroutine ownership is taken from the
connection object.
3) The bug was the set read completion code was unreferencing the
coroutine, but could still throw an error if the set data was
malformed.
4) Thus it would double free the reference.
5) Then really weird things wout happen to the registry: the same
reference ID would get handed out twice.
6) This blows up code later on as it gets data it doesn't expect, and
some referenced objects get clobbered.
7) This was triggered in combination of an earlier bug that would cause
bad data chunks on short writes in certain situations.
Took a long time to get a repro case outside of a benchmark; was looking
in the wrong place.
Diffstat (limited to 'proxy_lua.c')
0 files changed, 0 insertions, 0 deletions