1051441 – Broker segfault when wrong filter used

Bug 1051441 - Broker segfault when wrong filter used

Summary: Broker segfault when wrong filter used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	qpid-cpp
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	3.0
Target Release:	---
Assignee:	Gordon Sim
QA Contact:	Petra Svobodová
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	785156 1010399
TreeView+	depends on / blocked

Reported:	2014-01-10 09:53 UTC by Pavel Moravec
Modified:	2018-12-06 15:40 UTC (History)
CC List:	6 users (show)
Fixed In Version:	qpid-cpp-0.22-33
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-24 15:09:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Apache JIRA	QPID-5467	None	None	None	Never
Red Hat Bugzilla	981638	medium	CLOSED	support standard lifetime policies for AMQP 1.0	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHEA-2014:1296	normal	SHIPPED_LIVE	Red Hat Enterprise MRG Messaging 3.0 Release	2014-09-24 19:00:06 UTC

Internal Links: 981638

Description Pavel Moravec 2014-01-10 09:53:52 UTC

Description of problem:
Client using weird filter and delete-on-close lifetime policy over AMQP 1.0, broker segfaults.


Version-Release number of selected component (if applicable):
qpid-cpp-server-0.22-31.el6.x86_64


How reproducible:
100%


Steps to Reproduce:
rm -rf /var/lib/qpidd/* ; service qpidd restart

qpid-receive -a "FilterQueue; {create: always, link: { filter: { value:'broadcast.Public.#', name: legacy-amqp-topic-binding, descriptor: 77567109365764 } }, node: { properties: {'lifetime-policy':'delete-on-close' } } }" --connection-options="{protocol:amqp1.0}"

qpid-stat -q | grep FilterQueue

qpid-receive -a "FilterQueue; {create: always, link: { filter: { value:'broadcast.Public.#', name: legacy-amqp-topic-binding, descriptor: 77567109365764 } }, node: { properties: {'lifetime-policy':'delete-on-close' } } }" --connection-options="{protocol:amqp1.0}"

(now broker segfaulted)


Actual results:
1st qpid-receive raises:
qpid-receive: Link detached by peer with amqp:internal-error: Found illegal character

qpid-stat shows the queue exists, despite it should have been deleted due to lifetime policy

2nd qpid-receive terminates as broker is down


Expected results:
Just error log is print. qpid-stat shouldn't show the queue exists, 2nd qpid-receive should cause segfault.


Additional info:
Backtrace of segfault:
(gdb) bt
#0  0x0000003768c32925 in raise () from /lib64/libc.so.6
#1  0x0000003768c34105 in abort () from /lib64/libc.so.6
#2  0x0000003768c2ba4e in __assert_fail_base () from /lib64/libc.so.6
#3  0x0000003768c2bb10 in __assert_fail () from /lib64/libc.so.6
#4  0x000000376c5e7f02 in qpid::broker::Queue::QueueUsers::addLifecycleController (this=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Queue.cpp:1707
#5  0x000000376c5e82c6 in qpid::broker::Queue::markInUse (this=0x1b72e40, controlling=true)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Queue.cpp:518
#6  0x00007f50c964ef3a in qpid::broker::amqp::OutgoingFromQueue::OutgoingFromQueue (this=0x1b54810, broker=..., source="FilterQueue", 
    target="FilterQueue", q=<value optimized out>, l=0x1b40fc0, session=..., o=..., type=qpid::broker::CONSUMER, e=false, p=true)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Outgoing.cpp:73
#7  0x00007f50c9667469 in qpid::broker::amqp::Session::setupOutgoing (this=0x1b76cb0, link=0x1b40fc0, source=<value optimized out>, 
    name="FilterQueue") at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Session.cpp:445
#8  0x00007f50c96698a0 in qpid::broker::amqp::Session::attach (this=0x1b76cb0, link=0x1b40fc0)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Session.cpp:357
#9  0x00007f50c9626dd1 in qpid::broker::amqp::Connection::process (this=0x7f50ac0015d8)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Connection.cpp:270
#10 0x00007f50c96257fb in qpid::broker::amqp::Connection::decode (this=0x7f50ac0015d8, buffer=<value optimized out>, 
    size=<value optimized out>) at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Connection.cpp:127
#11 0x00007f50c9659ba1 in qpid::broker::amqp::Sasl::decode (this=0x7f50ac001580, buffer=<value optimized out>, size=295)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Sasl.cpp:49
#12 0x000000376d196a70 in qpid::sys::AsynchIOHandler::readbuff (this=0x1b54da0, buff=0x1b55420)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/AsynchIOHandler.cpp:130
#13 0x000000376d129e94 in operator() (this=0x1b3c540, h=...) at /usr/include/boost/function/function_template.hpp:1013
#14 qpid::sys::posix::AsynchIO::readable (this=0x1b3c540, h=...) at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/posix/AsynchIO.cpp:453
#15 0x000000376d19b123 in boost::function1<void, qpid::sys::DispatchHandle&>::operator() (this=<value optimized out>, 
    a0=<value optimized out>) at /usr/include/boost/function/function_template.hpp:1013
#16 0x000000376d19a271 in qpid::sys::DispatchHandle::processEvent (this=0x1b3c548, type=qpid::sys::Poller::READABLE)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/DispatchHandle.cpp:280
#17 0x000000376d14c712 in process (this=0x1a5a480) at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/Poller.h:131
#18 qpid::sys::Poller::run (this=0x1a5a480) at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/epoll/EpollPoller.cpp:522
#19 0x000000376c5c0112 in qpid::broker::Broker::run (this=<value optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Broker.cpp:443
#20 0x000000000040a964 in qpid::broker::QpiddDaemon::child (this=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/posix/QpiddBroker.cpp:149
#21 0x000000376c593753 in qpid::broker::Daemon::fork (this=0x7fffaecf86c0)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Daemon.cpp:91
#22 0x000000000040750a in qpid::broker::QpiddBroker::execute (this=<value optimized out>, options=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/posix/QpiddBroker.cpp:193
#23 0x000000000040cb24 in qpid::broker::run_broker (argc=4, argv=0x7fffaecf8cf8, hidden=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/qpidd.cpp:108
#24 0x0000003768c1ed1d in __libc_start_main () from /lib64/libc.so.6
#25 0x0000000000406b99 in _start ()

Comment 1 Pavel Moravec 2014-01-10 12:46:59 UTC

Just a note, when removing '#' from:

value:'broadcast.Public.#'

within filter, no issue appears. (weird as filter syntax does not prohibit '#' char).

Comment 2 Gordon Sim 2014-01-10 22:23:57 UTC

Fixed upstream: https://svn.apache.org/r1557272

Comment 4 Pavel Moravec 2014-02-14 09:39:57 UTC

(In reply to Pavel Moravec from comment #0)
> Expected results:
> Just error log is print. qpid-stat shouldn't show the queue exists, 2nd
> qpid-receive should cause segfault.

2nd qpid-receive should NOT cause segfault, of course.

Comment 5 Petra Svobodová 2014-03-07 07:34:47 UTC

The issue does not occur yet. 
Broker is still running if the client uses wrong filter and delete-on-close lifetime policy over AMQP 1.0; neither the "FilterQueue" is displayed by qpid-stat -q tool.

Verified on packages qpid-cpp-0.22-35 and qpid-tools-0.22-8 on Rhel6-i686 and Rhel6-x86_64.

--> VERIFIED

Comment 6 errata-xmlrpc 2014-09-24 15:09:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html

Note You need to log in before you can comment on or make changes to this bug.