From owner-freebsd-bugs@FreeBSD.ORG  Tue Mar 17 17:20:06 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E7FAF1065673
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 17 Mar 2009 17:20:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id C13608FC1F
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 17 Mar 2009 17:20:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2HHK5Ge024206
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 17 Mar 2009 17:20:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2HHK5K1024205;
	Tue, 17 Mar 2009 17:20:05 GMT (envelope-from gnats)
Resent-Date: Tue, 17 Mar 2009 17:20:05 GMT
Resent-Message-Id: <200903171720.n2HHK5K1024205@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Nate Eldredge <neldredge@math.ucsd.edu>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 54EDB1065670
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 17 Mar 2009 17:17:07 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 42C4F8FC1D
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 17 Mar 2009 17:17:07 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n2HHH6bh089690
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 17 Mar 2009 17:17:06 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n2HHH6b6089689;
	Tue, 17 Mar 2009 17:17:06 GMT (envelope-from nobody)
Message-Id: <200903171717.n2HHH6b6089689@www.freebsd.org>
Date: Tue, 17 Mar 2009 17:17:06 GMT
From: Nate Eldredge <neldredge@math.ucsd.edu>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: bin/132735: Berkeley db: corrupted file has record with absurd size
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2009 17:20:07 -0000


>Number:         132735
>Category:       bin
>Synopsis:       Berkeley db: corrupted file has record with absurd size
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 17 17:20:05 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Nate Eldredge
>Release:        7.1-RELEASE-p3
>Organization:
>Environment:
FreeBSD vulcan.lan 7.1-RELEASE-p3 FreeBSD 7.1-RELEASE-p3 #1: Mon Feb 23 14:45:27 PST 2009     root@vulcan.lan:/usr/obj/usr/src/sys/VULCAN  amd64

>Description:
Hi,

I have a Berkeley db file that is corrupted somehow, and when read with the db routines (dbopen(3)) from libc, returns bogus data that results in a crash.

The file is available at http://www.math.ucsd.edu/~neldredg/testcase.db .  It was produced by the recovery mechanism of vi(1), possibly while the system was crashing (I was working on a kernel bug at the time).

Is this normal behavior for db when the input file is corrupted, or is it supposed to be more robust?
>How-To-Repeat:
I wrote the following test program:

#include <sys/types.h>
#include <db.h>
#include <fcntl.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>

void dump_dbt(const DBT *dbt) {
  printf("(%zu)", dbt->size);
  size_t i;
  unsigned char *p = dbt->data;
  for (i = 0; i < dbt->size; i++)
    printf(" %02x", p[i]);
  printf("\n");
}

int main(int argc, char *argv[]) {
  if (argc < 2) {
    fprintf(stderr, "Usage: %s filename\n", argv[0]);
    exit(2);
  }
  setvbuf(stdout, NULL, _IONBF, 0);
  DB *db = dbopen(argv[1], O_RDONLY, 0, DB_BTREE, NULL);
  if (!db) {
    perror("dbopen");
    exit(1);
  }
  
  int ret;
  DBT key, data;
  while ((ret = db->seq(db, &key, &data, R_NEXT)) == 0) {
    printf("Key: ");
    dump_dbt(&key);
    printf("Data: ");
    dump_dbt(&data);
  }
  if (ret != 1) {
    perror("db->seq");
    if (ret != -1) {
      fprintf(stderr, "Unexpected ret == %d\n", ret);
    }
    exit(1);
  }
  return 0;
}

When run on testcase.db, the output is:

Key: (3) 00 00 00
Data: (757739264) 00 00 00 00 00 [...]

followed by a segfault, since there obviously aren't 757739264 bytes of data in the file.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: