Server crash with isc_dsql_execute_immediate and zero length string [CORE1506] #1921
Labels
affect-version: 1.0.3
affect-version: 1.5.2
affect-version: 1.5.3
affect-version: 1.5.4
affect-version: 2.0.0
affect-version: 2.0.1
affect-version: 2.0.2
affect-version: 2.0.3
affect-version: 2.0.4
affect-version: 2.1 Alpha 1
affect-version: 2.1 Beta 1
affect-version: 2.1 Beta 2
affect-version: 2.1 RC1
affect-version: 2.1.0
affect-version: 3.0 RC2
component: engine
fix-version: 2.0.5
fix-version: 2.1.2
fix-version: 2.5 Beta 1
priority: major
qa: done successfully
type: bug
Submitted by: Claudio Valderrama C. (robocop)
We have a wonderful crash in the server if we use
isc_dsql_execute_immediate
with a zero length string (with a null string the client library crashes the
application in PREPARSE_execute).
The call stack in the server follows:
strlen() line 78
dsql8_execute_immediate_common(long * 0x0298f5fc, void * * 0x0243f488, void * * 0x0298f5dc, unsigned short 0, const char * 0x00000000, unsigned short 32, unsigned short 0, const unsigned char * 0x00000000, unsigned short 0, unsigned short 0, unsigned char * 0x00000000, unsigned short 0, unsigned char * 0x00000000, unsigned short 0, unsigned short 0, unsigned char * ...) line 667 +
dsql8_execute_immediate(long * 0x0298f5fc, void * * 0x0243f488, void * * 0x0298f5dc, unsigned short 0, const char * 0x00000000, unsigned short 32, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 776 + 79 bytes
isc_dsql_exec_immed3_m(long * 0x0298f5fc, void * * 0x0243f488, void * * 0x0298f5dc, unsigned short 0, const char * 0x00000000, unsigned short 32, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 2938 + 94 bytes
rem_port::execute_immediate(P_OP op_exec_immediate, p_sqlst * 0x0298fa94, packet * 0x0298fb44) line 2048
process_packet2(rem_port * 0x013a7eec, packet * 0x0298fb44, packet * 0x0298f890, rem_port * * 0x00000000) line 3611
process_packet(rem_port * 0x013a7eec, packet * 0x0298fb44, packet * 0x0298f890, rem_port * * 0x00000000) line 3363 + 21 bytes
SRVR_main(rem_port * 0x013a7eec, unsigned short 120) line 289 + 28 bytes
As seen, the error is the "remote" (server) layer around the engine.
In the client side we have this:
isc_dsql_exec_immed3_m(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 2869
isc_dsql_exec_immed2_m(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, unsigned short 0, const char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000, unsigned short 0, char * 0x00000000, unsigned short 0, unsigned short 0, char * 0x00000000) line 2838
isc_dsql_exec_immed2(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, XSQLDA * 0x00000000, XSQLDA * 0x00000000) line 2654 + 115 bytes
isc_dsql_execute_immediate(long * 0x00453214 long * isc_status, void * * 0x00454cb8 void * DB, void * * 0x00453210 M__trans, unsigned short 0, const char * 0x0110001f, unsigned short 3, XSQLDA * 0x00000000) line 2599
passthrough(const char * 0x0110001f) line 7643 + 35 bytes
frontend(const char * 0x01100014) line 5622 + 15 bytes
get_statement(char * const 0x01100014, const unsigned int 65535, const char * 0x0044c694) line 6180 + 9 bytes
do_isql() line 4888 + 20 bytes
but it's not clear to me why exec_immed2_m, when calling PREPARSE_execute, the error condition
set inside that function is lost and immed2_m proceeds to call exec_immed3_m anyways
(that in turn calls REM_execute_immediate2)
However, this client-side issue is no excuse for the server to crash.
To reproduce, simply type in a isql session
passthrough;
in the DEV build. This will send to the server the equivalent of this:
isc_dsql_execute_immediate(isc_status, &DB, &M__trans, 0, "", 3, NULL)
The error was reproduced in Windows 2000, with local protocol and TCP/IP connection
and it affects all FB versions I tested (from v1.0 to the latest developments) and
probably all IB versions.
The server should be more reliable. :-)
Commits: 46a5869 3fc846d 79f97a1
The text was updated successfully, but these errors were encountered: