Skip to content

input_thread: use flb_pipe_r in handle_input_event to fix crash on re… #11623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zshuang0316 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

input_thread: use flb_pipe_r in handle_input_event to fix crash on re… #11623

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/flb_input_thread.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ static inline int handle_input_event(flb_pipefd_t fd, struct flb_input_instance
uint64_t val;
struct flb_config *config = ins->config;

bytes = read(fd, &val, sizeof(val));
bytes = flb_pipe_r(fd, &val, sizeof(val));
if (bytes == -1) {
flb_errno();
flb_pipe_error();
return -1;
Comment on lines +62 to 65
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate mk_event_channel_create implementation/usages =="
rg -n -C3 'mk_event_channel_create|socketpair|pipe\(|recv\(|send\('

echo
echo "== Locate fixed-size flb_pipe_r reads and their guards =="
rg -n -C4 'flb_pipe_r\([^;]*sizeof\((val|uint64_t)\)\)' src include

echo
echo "== Inspect guards around handle_input_event and handle_input_thread_event =="
rg -n -C6 'handle_input_event|handle_input_thread_event|bytes == -1|bytes <= 0|bytes != sizeof' src/flb_input_thread.c

Repository: fluent/fluent-bit

Length of output: 50374

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Reading src/flb_input_thread.c lines 50-80 ==="
sed -n '50,80p' src/flb_input_thread.c

echo ""
echo "=== Checking flb_pipe.h for flb_pipe_r definition ==="
rg -n "^[^/]*flb_pipe_r" include/fluent-bit/flb_pipe.h -A 5

echo ""
echo "=== Looking for all guard patterns after flb_pipe_r calls ==="
rg -n -A 2 'flb_pipe_r.*sizeof' src/flb_input_thread.c

echo ""
echo "=== Checking both handler functions in detail ==="
rg -n -B 5 -A 8 'handle_input_event|handle_input_thread_event' src/flb_input_thread.c | head -80

Repository: fluent/fluent-bit

Length of output: 3962

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for all fixed-size flb_pipe_r reads ==="
rg -n 'flb_pipe_r.*sizeof.*uint64_t|flb_pipe_r.*sizeof.*output_flush' src/ -A 3 | head -60

echo ""
echo "=== Check if short-read validation exists anywhere for fixed-size protocol messages ==="
rg -n 'bytes != sizeof|ret != sizeof' src/flb_input_thread.c src/flb_output_thread.c

echo ""
echo "=== Verify the exact bit-field macros being used ==="
rg -n 'FLB_BITS_U64_HIGH|FLB_BITS_U64_LOW' include/fluent-bit/ -B 1 -A 1 | head -30

Repository: fluent/fluent-bit

Length of output: 1303

🏁 Script executed:

#!/bin/bash
set -euo pusedo pipefail

echo "=== Check mk_event_channel_create to understand channel semantics ==="
rg -n 'mk_event_channel_create' lib/monkey/include/monkey/ -A 15 2>/dev/null | head -50

echo ""
echo "=== Search for short-read handling in flb_pipe_write_all and flb_pipe_read_all ==="
cat src/flb_pipe.c 2>/dev/null || echo "File may not exist or other error"

Repository: fluent/fluent-bit

Length of output: 112

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for flb_pipe_read_all and flb_pipe_write_all implementations ==="
cat src/flb_pipe.c

echo ""
echo "=== Check if there's any documentation on atomicity ==="
rg -n 'socketpair|mk_event_channel' include/fluent-bit/ -B 2 -A 5 | head -60

Repository: fluent/fluent-bit

Length of output: 5485

Check guards before decoding fixed-size protocol messages in event handlers.

Lines 63 and 107 only reject -1. With flb_pipe_r() (wrapping recv/read), returning 0 (closed peer) or short positive reads is possible. Without validating full message reception, partial val data will corrupt bit-field extraction and misroute events.

Proposed fix 
     bytes = flb_pipe_r(fd, &val, sizeof(val));
-    if (bytes == -1) {
+    if (bytes <= 0) {
         flb_pipe_error();
         return -1;
     }
+    if (bytes != sizeof(val)) {
+        flb_error("[thread event loop] short read on fd=%i, got=%i expected=%zu",
+                  fd, bytes, sizeof(val));
+        return -1;
+    }

Similar patterns exist at lines 437–438 and 774–775 in the same file, though they use only <= 0 checks without validating message completeness. Both handle_input_event and handle_input_thread_event need this fix.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@src/flb_input_thread.c` around lines 62 - 65, The handlers currently call
flb_pipe_r(fd, &val, sizeof(val)) and only treat bytes == -1 (or <= 0) as
errors, which allows 0 (peer closed) or short reads to proceed and corrupt the
decoded bit-field; in handle_input_event and handle_input_thread_event update
the read handling to verify that the returned bytes == sizeof(val) and treat any
other return (0 or short read or -1) as an error/closed peer path (call
flb_pipe_error() or the existing cleanup flow), and apply the same full-length
validation to the other occurrences of flb_pipe_r reading fixed-size protocol
messages so you never decode a partially-populated val.

}

Expand Down
Loading