Bug#35155005 Buffers for holding a key of 'MAX_KEY_SIZE' are allocated too small

Ole John Aske · Ole John Aske · commit 5fb5dc0b0031 · 2023-04-24T21:47:01.000+02:00
NdbIndexScanOperation::getDistKeyFromRange() allocated the tmp[] buffer as a working area for
Ndb::computeHash() to xfrm the key into if need.

The buffer was allocated with the correct size for transforming a key
of NDB_MAX_KEY_SIZE, multiplied with the MAX_XFRM_MULTIPLY.

However, the same buffer was also used in case a key column
needed shrink_varchar()-reformat (and copy) of the key. Thus,
possibly leaving a too small buffer remaining for the hash-xfrm
of the key in ::computeHash()

Patch divide the buffer usage into two seperate buffers:

  - Uint32 xfrmbuf[ MAX_KEY_SIZE_IN_WORDS * MAX_XFRM_MULTIPLY ]
    Used only as argument to ::computeHash()

  - Uint32 shrinkbuf[ MAX_KEY_SIZE_IN_WORDS ]
    Used in case we need to shrink_varchar()-copy the key.

Change-Id: I9589269ce0e2dc084f262817f0708797032a9e84
diff --git a/storage/ndb/src/ndbapi/NdbScanOperation.cpp b/storage/ndb/src/ndbapi/NdbScanOperation.cpp
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2003, 2022, Oracle and/or its affiliates.
+   Copyright (c) 2003, 2023, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -762,11 +762,11 @@ NdbIndexScanOperation::getDistKeyFromRange(const NdbRecord *key_record,
                                            const char *row,
                                            Uint32* distKey)
 {
-  const Uint32 MaxKeySizeInLongWords= (NDB_MAX_KEY_SIZE + 7) / 8; 
-  // Note: xfrm:ed key can/will be bigger than MaxKeySizeInLongWords
-  Uint64 tmp[ MaxKeySizeInLongWords * MAX_XFRM_MULTIPLY ];
-  char* tmpshrink = (char*)tmp;
-  Uint32 tmplen = (Uint32)sizeof(tmp);
+  // Note: xfrm:ed key can/will be bigger than MAX_KEY_SIZE_IN_WORDS
+  Uint32 xfrmbuf[MAX_KEY_SIZE_IN_WORDS * MAX_XFRM_MULTIPLY];
+  char shrinkbuf[NDB_MAX_KEY_SIZE];
+  char* tmpshrink = shrinkbuf;
+  Uint32 tmplen = (Uint32)sizeof(shrinkbuf);
   
   /* This can't work for User Defined partitioning */
   assert(key_record->table->m_fragmentType != 
@@ -811,7 +811,7 @@ NdbIndexScanOperation::getDistKeyFromRange(const NdbRecord *key_record,
   
   Uint32 hashValue;
   int ret = Ndb::computeHash(&hashValue, result_record->table,
-                             ptrs, tmpshrink, tmplen);
+                             ptrs, xfrmbuf, sizeof(xfrmbuf));
   if (ret == 0)
   {
     *distKey = hashValue;
