The Nasty Case of TDB Commit...

[Rusty Russell]

Hi all,

   I finally produced a unit test for "handle processes dying" (in CCAN: it
has unit test infrastructure which suits this better than the torture system
in SAMBA), and it uncovered what I think is a nasty bug.

   If a process (or the machine) dies after just after writing the
recovery head (pointing at the end of file), the recovery record will filled
with 0x42.  This will not invoke a recovery on open, since rec.magic
!= TDB_RECOVERY_MAGIC.

  Unfortunately, the first transaction commit will happily reuse that
area: tdb_recovery_allocate() doesn't check the magic.  The recovery
record has length 0x42424242, and it writes that back into the
now-valid-looking transaction header) for the next comer (which happens
to be tdb_wipe_all here).

I think the fix is that tdb_recovery_allocate() has to just ignore a
header with invalid magic (not 0, not TDB_RECOVERY_MAGIC).

My untested git tree is:

	http://git.samba.org/?p=rusty/samba.git;a=summary (tdb-cleanups)

I will be MIA for a few days, hence the post now.

Thanks,
Rusty.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aborted-after-write-recovery-head.tdb.bz2
Type: application/x-bzip
Size: 91 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100205/b0c2cd4d/attachment.bin>