y494890511 / memcached

Automatically exported from code.google.com/p/memcached
0 stars 0 forks source link

Incorrect result of 'decr' and 'incr' operation on empty item under some circumstances #379

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

Issue the following ASCII commands:

set a 0 0 20
18446744073709551616
STORED
incr a 1
CLIENT_ERROR cannot increment or decrement non-numeric value
set a 0 0 0

STORED
decr a 1
46744073709551615
incr a 1
46744073709551616

What is the expected output? What do you see instead?

I would expect the last two decr and incr to fail with:
"CLIENT_ERROR cannot increment or decrement non-numeric value"

Instead, I see that decr is storing some seemingly "random" value.

What version of the product are you using? On what operating system?

Ubuntu 14.04, memcached 1.4.20

Original issue reported on code.google.com by tgrab...@cloudius-systems.com on 17 Oct 2014 at 3:20

GoogleCodeExporter commented 9 years ago
Well... this bug is nasty.

It wasn't checking that the data was nonzero in size. Internally it uses 
strtoull, which ignores initial characters matched as spaces, then attempts to 
parse the rest of the number.

An empty item has "\r\n" in the data section (min size 2), so if there's 
parseable memory beyond the end of the data section in that chunk, possibly 
from data previously occupying that space, it'll successfully delta it.

It won't corrupt memory, since it later tests for space to write the new value 
into (it->nbytes), and will then allocate a new item for the storage.

So.. a small win there at least.

Pushed a fix to 'next' branch.

Original comment by dorma...@rydia.net on 1 Jan 2015 at 6:42