Buffer overflow in maporaclespatial with large sql data

[arovira]

Hello,

I get a core dump when I using a oracle layer definition:

LAYER
    CLASSITEM "vu_id"
    CONNECTION "cerc/cerc@cerc"
    CONNECTIONTYPE ORACLESPATIAL
    DATA "SHAPE from (select id,shape,vu_id from cercalia.LOIS_MAPA where (categoria_id = '9CQRUT' and tipo_id = '039') or  ...

**** BANDWITDH SAVER **** ;-)

 ... or (categoria_id = '9CQRUT' and tipo_id = '029')) using srid 558000" DEBUG ON
    DUMP TRUE
      METADATA
      END
    NAME "lois"
    SIZEUNITS PIXELS
    STATUS ON
    TOLERANCEUNITS PIXELS
    TYPE LINE
    UNITS METERS
    CLASS
      EXPRESSION /4560/
      METADATA
      END
      STYLE
        ANGLE 360
        OUTLINECOLOR 250 220 0
        SIZE 4
        SYMBOL 8
      END
    END
END

After dig a bit in mapOracleSpatial.c, I see that table_name array is too small to hold the select string that is about 3200 bytes.

Line 1628 in mapOracleSpatial.c:

 /* create SQL statement for retrieving shapes */
 int msOracleSpatialLayerWhichShapes( layerObj *layer, rectObj rect )
 {
     int success, i;
     int function = 0;
     int version = 0;
     char query_str[6000];
     char table_name[2000], geom_column_name[100], unique[100], srid[100];

It's a bit annoying must recompile mapserver only for this little thing.

The best solution is modify it to use dinamic strings but it's more easy increase the size of the array.

If you are interested with the first solution a I can spend some time implementing it.

Thanks, Albert.

[aboudreault]

Fixed and committed in r9527.

arovira, may you test your case with mapserver trunk and see if everything is ok?

[dmorissette]

Let's close now. We can always reopen later if there are problems with the fix.

[tnolte]

This is breaking Oracle Spatial queries. When I apply this patch I can no longer perform selection queries. I get ORA 3113 errors.

[aboudreault]

Not sure why you get that error... but I'm using it here. Did you verify the error cause? ​http://ora-03113.ora-code.com/

[tnolte]

Here is all of the error information I am getting while this patch is applied:

URL: ​http://ms-test.ilpcs.com/cgi-bin/OLDmapserv?layers=on_air&session=4b03ec21b8ac9&map=%2Ftmp%2Fsess_4b03ec21b8ac9%2Fipcs_cell_sites.map&map_imagetype=PNG&mode=map&ts=1258548350236&queryfile=%2Ftmp%2Fsess_4b03ec21b8ac9%2Fipcs_cell_sites_query.qy&mapext=-86.146744828919+44.186636597938+-84.841322181391+45.241404639176&imgext=-86.146744828919+44.186636597938+-84.841322181391+45.241404639176&map_size=776+627&imgx=388&imgy=313.5&imgxy=776+627

MapServer Error Log: CGI Request 1 on process 6771 msOracleSpatialLayerResultGetShape: OracleSpatial error. ORA-03113: end-of-file on communication channel msOracleSpatialLayerResultGetShape(): OracleSpatial error. msOracleSpatialLayerResultGetShape could not fetch specified record. msDrawMap(): Image handling error. Failed to draw layer named 'on_air'. msFreeMap(): freeing map at 81e4680.

Oracle Trace: /u01/app/oracle/admin/nps/udump/nps_ora_8891.trc Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1 System name: SunOS Node name: nps Release: 5.8 Version: Generic_117350-26 Machine: sun4u Instance name: nps Redo thread mounted by this instance: 1 Oracle process number: 38 Unix process pid: 8891, image: oracle@nps

* ACTION NAME:() 2009-11-17 14:36:49.795 * MODULE NAME:(mapserv@ms-test (TNS V1-V3)) 2009-11-17 14:36:49.795 * SERVICE NAME:(nps.ilpcs.com) 2009-11-17 14:36:49.794 * SESSION ID:(124.228) 2009-11-17 14:36:49.794 opitsk: network error occurred while two-task server trying to send break; error code = 12592

When I remove this patch the image is generated without any errors.

[tnolte]

Replying to tnolte: Sorry, didn't realize line breaks needed to be manually entered.

URL: ​http://ms-test.ilpcs.com/cgi-bin/OLDmapserv?layers=on_air&session=4b03ec21b8ac9&map=%2Ftmp%2Fsess_4b03ec21b8ac9%2Fipcs_cell_sites.map&map_imagetype=PNG&mode=map&ts=1258548350236&queryfile=%2Ftmp%2Fsess_4b03ec21b8ac9%2Fipcs_cell_sites_query.qy&mapext=-86.146744828919+44.186636597938+-84.841322181391+45.241404639176&imgext=-86.146744828919+44.186636597938+-84.841322181391+45.241404639176&map_size=776+627&imgx=388&imgy=313.5&imgxy=776+627[[BR]]
MapServer Error Log:
CGI Request 1 on process 6771
msOracleSpatialLayerResultGetShape: OracleSpatial error. ORA-03113: end-of-file on communication channel
msOracleSpatialLayerResultGetShape(): OracleSpatial error. msOracleSpatialLayerResultGetShape could not fetch specified record.
msDrawMap(): Image handling error. Failed to draw layer named 'on_air'.
msFreeMap(): freeing map at 81e4680.

Oracle Trace:
/u01/app/oracle/admin/nps/udump/nps_ora_8891.trc
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1
System name: SunOS
Node name: nps
Release: 5.8
Version: Generic_117350-26
Machine: sun4u
Instance name: nps
Redo thread mounted by this instance: 1
Oracle process number: 38
Unix process pid: 8891, image: oracle@nps

* ACTION NAME:() 2009-11-17 14:36:49.795
* MODULE NAME:(mapserv@ms-test (TNS V1-V3)) 2009-11-17 14:36:49.795
* SERVICE NAME:(nps.ilpcs.com) 2009-11-17 14:36:49.794
* SESSION ID:(124.228) 2009-11-17 14:36:49.794
opitsk: network error occurred while two-task server trying to send break; error code = 12592

When I remove this patch the image is generated without any errors.

[aboudreault]

Are you testing with trunk or you pacthed another version of MapServer ? It would be useful to see if you can reproduce that bug with the svn trunk. thanks

[tnolte]

I patched 5.6 beta 5.

[aboudreault]

Do you think you could provide me a test case please ? I tried to reproduce it with my current data without success.

[tnolte]

Patch Failure Test Case Files

[tnolte]

I just attached a ZIP file containing what will hopefully give you what you need. Our Oracle database has proprietary data that I can't give you. I was able to give you the Oracle View structure, the spatial point data, and the mapfile and query file that were used. I also included the exact URL that is used to pull up the image and a PNG of what the results should be. Let me know if you need anything more.

[aboudreault]

tnolte, may you tell me if you can reproduce that bug using a "normal" cgi query in mode=nquery (without queryfile parameter) ?

[aboudreault]

Can't reproduce that bug. Your mapfile even doesn't use a long table name, so the only difference is that the string is allocated dynamically rather than statically. Unfortunately, I'm having some server problems with my oracle server at the moment and the tests I can do are very limited. I would appreciate if you could test the same request with the last svn trunk. Also, if you add DEBUG 5 in your layer and a CONFIG "MS_ERRORFILE" "/tmp/mapserver.log" at map level, you should be able to see the sql sent to oracle. Something similar to:

[Thu Nov 19 15:01:47 2009].942143 msOracleSpatialLayerWhichShapes. Using this Sql to retrieve the data: SELECT rownum, NAME, ORA_GEOMETRY FROM popplace4d WHERE SDO_FILTER( ORA_GEOMETRY, MDSYS.SDO_GEOMETRY(2003, :srid, NULL,MDSYS.SDO_ELEM_INFO_ARRAY(1,1003,3),:ordinates),'querytype=window') = 'TRUE'

The sql statements between your patched mapserver and original beta5 mapserver should be exactly the same. Otherwise, that would help me to see if there is something wrong.

If you can reproduce that bug with trunk and it is really caused by that patch, I would suggest to remove it to not delay the mapserver 5.6 release even more.

[tnolte]

Debug data for unpatched working request.

[tnolte]

Debug data for the patched nonworking request.

[aboudreault]

tnolte, your bug really look's like another bug about queries we fixed recently. Apply that patch: ​http://trac.osgeo.org/mapserver/changeset/9556 and give it a try.

[aboudreault]

tnolte, did you get a chance to test the svn trunk, or the patch I proposed ?

[tnolte]

Sorry, I was out all last week. I will test tomorrow.

[aboudreault]

If you prefer, you can test the mapserver 5.6.0-rc1 release, which contains the patch.

[tnolte]

Looks like things are all working now in rc1.

[aboudreault]

Excellent! Thanks!