Skip to content

Fix #2601 misuses of LMDB API #2602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 9, 2022
Merged

Fix #2601 misuses of LMDB API #2602

merged 1 commit into from
Feb 9, 2022

Conversation

hyc
Copy link
Contributor

@hyc hyc commented Aug 9, 2021

Only open DBI once, doesn't need closing.
Never reuse a txn handle after commit.
Use MDB_RDONLY for txns that aren't doing any writes

@hyc
Fix owasp-modsecurity#2601 misuses of LMDB API
a6e1074 
Only open DBI once, doesn't need closing.
Never reuse a txn handle after commit.
Use MDB_RDONLY for txns that aren't doing any writes
@martinhsv
Copy link
Contributor

Hello @hyc ,

I finally had a chance to look at this in detail and one thing I wondered about:

There is a new member variable 'MDB_dbi m_dbi;' in the LMDB class -- which makes sense.

MDB_dbi is typedef'd to 'unsigned int', which means m_dbi is undefined initially.

The LMDB constructor will initialize it with a successful call to mdb_dbi_open.

But what if it fails? The return code from mdb_dbi_open isn't checked and we proceed as if it had been successful.

I had a look at both the LMDB documentation and (a brief) skim of the code and it doesn't look like a failure condition within mdb_dbi_open will result in the MDB_dbi out-parameter being updated to a special value or anything (that might have been checked for in subsequent calls to other functions).

Thoughts?

@hyc
Copy link
Contributor Author

hyc commented Jan 27, 2022

The default dbi, which is what your code uses, always exists and is always valid, so the mdb_dbi_open call will never fail.

@martinhsv martinhsv merged commit d0813fe into owasp-modsecurity:v3/master Feb 9, 2022
martinhsv added a commit that referenced this pull request Feb 9, 2022
@martinhsv
CHANGES: Adds info about #2602
378e31c
vladbukin pushed a commit to vladbukin/ModSecurity that referenced this pull request Apr 12, 2022
@martinhsv @vladbukin
CHANGES: Adds info about owasp-modsecurity#2602
6c6bd45
daixiang0 pushed a commit to daixiang0/ModSecurity that referenced this pull request Apr 24, 2022
@martinhsv @daixiang0
CHANGES: Adds info about owasp-modsecurity#2602
140c8f6
leyao-daily pushed a commit to leyao-daily/ModSecurity that referenced this pull request Jul 26, 2022
@martinhsv
CHANGES: Adds info about owasp-modsecurity#2602
d5e6438
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hyc @martinhsv