Bug#35155005 Buffers for holding a key of 'MAX_KEY_SIZE' are allocated too small

Ole John Aske · Ole John Aske · commit 1eda52fd46d5 · 2023-04-24T21:36:30.000+02:00
The #define MAX_KEY_SIZE_IN_WORDS 1023 are used multiple places where
we need to define different kind of buffers for holding a tuple key.

Some places we define this buffer as an array of Uint64's, probably due
to a double word allignment were assumed to be more efficient when
accessing the key buffer.

As we right shifted-by-1 the MAX_KEY_SIZE_IN_WORDS when defining such
Uint64 arrays, *without* adding +1 to compensate for the alignment
truncation, the allocated Uint64 buffer ended up being a 'word' too
small to buffer a full MAX_KEY.

These Uint64 buffers where used for storing a key to calculate
a hash key - md5_hash() used to take a Uint64* aligned argument
for the value to be hashed.

This was changed by patch for Bug#35180841
    Remove requirement for md5_hash() input to be 8-byte aligned

Thus we can now define these buffers as Uint32[] instead.
Patch change these buffer definitions accordingly.

Change-Id: If5356bae4a3e997fdb09caa89fd3c3626b782d56
diff --git a/sql/ha_ndbcluster.cc b/sql/ha_ndbcluster.cc
@@ -8954,7 +8954,7 @@ ha_ndbcluster::start_transaction_row(const NdbRecord *ndb_record,
 
   Ndb *ndb= m_thd_ndb->ndb;
 
-  Uint64 tmp[(MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY) >> 1];
+  Uint32 tmp[MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY];
   char *buf= (char*)&tmp[0];
   trans= ndb->startTransaction(ndb_record,
                                (const char*)record,
@@ -8986,7 +8986,7 @@ ha_ndbcluster::start_transaction_key(uint inx_no,
   Ndb *ndb= m_thd_ndb->ndb;
   const NdbRecord *key_rec= m_index[inx_no].ndb_unique_record_key;
 
-  Uint64 tmp[(MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY) >> 1];
+  Uint32 tmp[MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY];
   char *buf= (char*)&tmp[0];
   trans= ndb->startTransaction(key_rec,
                                (const char*)key_data,
@@ -17783,7 +17783,7 @@ uint32 ha_ndbcluster::calculate_key_hash_value(Field **field_array)
   struct Ndb::Key_part_ptr *key_data_ptr= &key_data[0];
   Uint32 i= 0;
   int ret_val;
-  Uint64 tmp[(MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY) >> 1];
+  Uint32 tmp[MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY];
   void *buf= (void*)&tmp[0];
   DBUG_ENTER("ha_ndbcluster::calculate_key_hash_value");
 
diff --git a/storage/ndb/src/kernel/blocks/dblqh/DblqhMain.cpp b/storage/ndb/src/kernel/blocks/dblqh/DblqhMain.cpp
@@ -6049,28 +6049,28 @@ Dblqh::handle_nr_copy(Signal* signal, Ptr<TcConnectionrec> regTcPtr)
     if (len > 0 && !match &&
         g_key_descriptor_pool.getPtr(tableId)->hasCharAttr)
     {
-      Uint64 reqKey[ MAX_KEY_SIZE_IN_WORDS >> 1 ];
-      Uint64 dbXfrmKey[ (MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY) >> 1 ];
-      Uint64 reqXfrmKey[ (MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY) >> 1 ];
+      Uint32 reqKey[MAX_KEY_SIZE_IN_WORDS];
+      Uint32 dbXfrmKey[MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY];
+      Uint32 reqXfrmKey[MAX_KEY_SIZE_IN_WORDS*MAX_XFRM_MULTIPLY];
       Uint32 keyPartLen[MAX_ATTRIBUTES_IN_INDEX];
 
       jam();
 
       /* Transform db table key read from DB above into dbXfrmKey */
       const int dbXfrmKeyLen = xfrm_key(tableId,
                                         &signal->theData[24],
-                                        (Uint32*)dbXfrmKey,
+                                        dbXfrmKey,
                                         sizeof(dbXfrmKey) >> 2,
                                         keyPartLen);
       ndbassert(dbXfrmKeyLen > 0);
 
       /* Copy request key into linear space */
-      copy((Uint32*) reqKey, regTcPtr.p->keyInfoIVal);
+      copy(reqKey, regTcPtr.p->keyInfoIVal);
 
       /* Transform request key */
       const int reqXfrmKeyLen = xfrm_key(tableId,
-                                         (Uint32*)reqKey,
-                                         (Uint32*)reqXfrmKey,
+                                         reqKey,
+                                         reqXfrmKey,
                                          sizeof(reqXfrmKey) >> 2,
                                          keyPartLen);
       ndbassert(reqXfrmKeyLen > 0);
@@ -6410,7 +6410,7 @@ Uint32
 Dblqh::readPrimaryKeys(Uint32 opPtrI, Uint32 * dst, bool xfrm)
 {
   TcConnectionrecPtr regTcPtr;  
-  Uint64 Tmp[MAX_KEY_SIZE_IN_WORDS >> 1];
+  Uint32 Tmp[MAX_KEY_SIZE_IN_WORDS];
 
   jamEntry();
   regTcPtr.i = opPtrI;
