Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

decode: prometheus: fix to avoid freeing non-malloced data #187

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

DavidKorczynski
Copy link
Contributor

@DavidKorczynski DavidKorczynski commented Jul 24, 2023

The fuzzer in fluent/fluent-bit#7745 found a bug that shows the prometheus decoder is sometimes freeing data that is not malloced. This is an attempt to fix that.

Please do verify this -- the fuzzer no longer finds the issue here and the bug is obvious, however, for coming up with a fix I found the code a bit tricky to validate as I'm not deeply familiar with this decoder.

The fuzzer in fluent/fluent-bit#7745 found a bug
that shows the prometheus decoder is sometimes freeing data that is not
malloced. This is an attempt to fix that.

Signed-off-by: David Korczynski <[email protected]>
@@ -166,20 +160,21 @@ static int split_metric_name(struct cmt_decode_prometheus_context *context,
}
*subsystem = strchr(*ns, '_');
if (!(*subsystem)) {
*name = *ns;
*ns = "";
*name = strdup(*ns);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check this result.

*ns = "";
*name = strdup(*ns);
free(*ns);
*ns = strdup("");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check this result.

}
else {
**subsystem = 0; /* split */
(*subsystem)++;
*name = strchr(*subsystem, '_');
if (!(*name)) {
*name = *subsystem;
*name = strdup(*subsystem);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check this result.

**name = 0;
(*name)++;
**name = '\0';
*name = strdup((*name)++);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check this result. and if possible dereference name in this way (*name)[1].

@edsiper
Copy link
Member

edsiper commented Feb 23, 2024

ping @DavidKorczynski on changes requested

@DavidKorczynski
Copy link
Contributor Author

I think the issue highlighted by this PR may need a more substantial fix. There is mixing of dynamically allocated memory and non-dynamically allocated memory, and in order to achieve consistency there is some rewriting needed (not just fixing). I think the owner/maintainer of the code should address the issues -- @tarruda can you assist here?

@edsiper
Copy link
Member

edsiper commented Mar 7, 2024

@tarruda it seems this needs a more elaborated solution. would you please take a look at it ? (cc: @niedbalski for visibility)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants