Issue Details (XML | Word | Printable)

Key: CORE-1506
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Claudio Valderrama C.
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Server crash with isc_dsql_execute_immediate and zero length string

Created: 12/Sep/07 10:29 PM   Updated: 26/Nov/08 06:01 AM
Component/s: Engine
Affects Version/s: 1.0.3, 1.5.2, 1.5.3, 2.0.0, 1.5.4, 2.0.1, 2.1 Alpha 1, 2.1 Beta 1, 2.0.2, 2.0.3, 2.1 Beta 2, 2.1 RC1, 2.1.0, 2.0.4, 3.0.0
Fix Version/s: 2.0.5, 2.1.2, 2.5 Beta 1

Time Tracking:
Not Specified

Environment: Platform independent.


 Description  « Hide
We have a wonderful crash in the server if we use
isc_dsql_execute_immediate
with a zero length string (with a null string the client library crashes the
application in PREPARSE_execute).

The call stack in the server follows:

strlen() line 78
dsql8_execute_immediate_common(long * 0x0298f5fc, void * * 0x0243f488, void * * 0x0298f5dc, unsigned short 0, const char * 0x00000000, unsigned short 32, unsigned short 0, const unsigned char * 0x00000000, unsigned short 0, unsigned short 0, unsigned char * 0x00000000, unsigned short 0, unsigned char * 0x00000000, unsigned short 0, unsigned short 0, unsigned char * ...) line 667 +
dsql8_execute_immediate(long * 0x0298f5fc, void * * 0x0243f488, void * * 0x0298f5dc, unsigned short 0, const char * 0x00000000, unsigned short 32, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 776 + 79 bytes
isc_dsql_exec_immed3_m(long * 0x0298f5fc, void * * 0x0243f488, void * * 0x0298f5dc, unsigned short 0, const char * 0x00000000, unsigned short 32, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 2938 + 94 bytes
rem_port::execute_immediate(P_OP op_exec_immediate, p_sqlst * 0x0298fa94, packet * 0x0298fb44) line 2048
process_packet2(rem_port * 0x013a7eec, packet * 0x0298fb44, packet * 0x0298f890, rem_port * * 0x00000000) line 3611
process_packet(rem_port * 0x013a7eec, packet * 0x0298fb44, packet * 0x0298f890, rem_port * * 0x00000000) line 3363 + 21 bytes
SRVR_main(rem_port * 0x013a7eec, unsigned short 120) line 289 + 28 bytes

As seen, the error is the "remote" (server) layer around the engine.

In the client side we have this:

isc_dsql_exec_immed3_m(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 2869
isc_dsql_exec_immed2_m(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 2838
isc_dsql_exec_immed2(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, XSQLDA * 0x00000000, XSQLDA * 0x00000000) line 2654 + 115 bytes
isc_dsql_execute_immediate(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, XSQLDA * 0x00000000) line 2599
passthrough(const char * 0x0110001f) line 7643 + 35 bytes
frontend(const char * 0x01100014) line 5622 + 15 bytes
get_statement(char * const 0x01100014, const unsigned int 65535, const char * 0x0044c694) line 6180 + 9 bytes
do_isql() line 4888 + 20 bytes

but it's not clear to me why exec_immed2_m, when calling PREPARSE_execute, the error condition
set inside that function is lost and immed2_m proceeds to call exec_immed3_m anyways
(that in turn calls REM_execute_immediate2)

However, this client-side issue is no excuse for the server to crash.
To reproduce, simply type in a isql session

passthrough;

in the DEV build. This will send to the server the equivalent of this:
isc_dsql_execute_immediate(isc_status, &DB, &M__trans, 0, "", 3, NULL)

The error was reproduced in Windows 2000, with local protocol and TCP/IP connection
and it affects all FB versions I tested (from v1.0 to the latest developments) and
probably all IB versions.
The server should be more reliable. :-)



 All   Comments   Work Log   Change History   Version Control   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
There are no comments yet on this issue.