Microsoft KB Archive/319869

= FIX: Improved SQL Manager Robustness for Odd Length Buffer =

Article ID: 319869

Article Last Modified on 9/27/2005

-

APPLIES TO


 * Microsoft SQL Server 2000 Standard Edition

-



This article was previously published under Q319869





SYMPTOMS
An access violation (AV) exception may occur when SQL Server tries to free the relevant memory block. The following is a sample short stack dump that you may see in the error log:

* Short Stack Dump
 * 0040A829 Module(sqlservr+0000A829) (CVariableInfo::CVarBlock::PvbJoin+00000035)
 * 0040A782 Module(sqlservr+0000A782) (CVariableInfo::PviRelease+00000056)
 * 0040A72C Module(sqlservr+0000A72C) (CVarPageMgr::Release+00000014)
 * 00401B52 Module(sqlservr+00001B52) (CMemObj::Free+0000001E)
 * 00401AFD Module(sqlservr+00001AFD) (CMemThread::Free+00000044)
 * 00401B26 Module(sqlservr+00001B26) (commondelete+0000001B)
 * 00560988 Module(sqlservr+00160988) (CSql::~CSql+00000021)
 * 0053E4B9 Module(sqlservr+0013E4B9) (CSqlMgr::DerefSql+00000065)
 * 0053EAC8 Module(sqlservr+0013EAC8) (CCompPlan::~CCompPlan+00000051)
 * 0053EA4B Module(sqlservr+0013EA4B) (CCompPlan::`vector deleting destructor'+0000000B)
 * 00440B4F Module(sqlservr+00040B4F) (CCacheObject::Release+000000D8)
 * 005D2F4F Module(sqlservr+001D2F4F) (CCache::FRemoveOne+00000316)
 * 0081AB31 Module(sqlservr+0041AB31) (BPool::ReplenishFreeList+00000144)
 * 0040AFAB Module(sqlservr+0000AFAB) (BPool::HelpLazyWriter+00000037)
 * 004306F5 Module(sqlservr+000306F5) (BPool::ReadAhead+00000074)
 * 00431A6D Module(sqlservr+00031A6D) (SDES::ReadAhead+0000006D)
 * 00521D63 Module(sqlservr+00121D63) (UnorderedPageSupplier::AddToQueue+00000546)
 * 00521938 Module(sqlservr+00121938) (UnorderedPageSupplier::GetNextPage+0000006C)
 * 00405810 Module(sqlservr+00005810) (SDES::GetBiDi+0000019C)
 * 0043362A Module(sqlservr+0003362A) (RowsetSS::FetchNextRow+000000B0)
 * 00433506 Module(sqlservr+00033506) (CQScanRowset::GetRowWithPrefetch+00000040)
 * 00521769 Module(sqlservr+00121769) (CQScanTableScan::GetRow+0000005F)
 * 0042C876 Module(sqlservr+0002C876) (CRowPrefetchDelayMgr::PopulateBuffer+0000001F)
 * 0042C334 Module(sqlservr+0002C334) (CRowPrefetchDelayMgr::GetRowUnordered+0000001E)
 * 0042C247 Module(sqlservr+0002C247) (CRowPrefetchDelayMgr::GetRow+0000001B)
 * 0042C22B Module(sqlservr+0002C22B) (CQScanRangePrefetchDelay::GetRow+00000014)
 * 0042D02F Module(sqlservr+0002D02F) (CQScanNLJoin::GetRow+0000010B)
 * 006D58CB Module(sqlservr+002D58CB) (CQScanConcat::GetRow+0000001C)
 * 005285B0 Module(sqlservr+001285B0) (CQScanSort::BuildSortTable+00000047)
 * 00528560 Module(sqlservr+00128560) (CQScanSort::Open+00000032)
 * 0041D92F Module(sqlservr+0001D92F) (CQueryScan::Startup+0000010D)
 * 0041925F Module(sqlservr+0001925F) (CStmtQuery::ErsqExecuteQuery+0000026B)
 * 00432F55 Module(sqlservr+00032F55) (CStmtSelect::XretExecute+00000229)
 * 0040F403 Module(sqlservr+0000F403) (CMsqlExecContext::ExecuteStmts+000002D9)
 * 0040EA95 Module(sqlservr+0000EA95) (CMsqlExecContext::Execute+000001B6)
 * 00410159 Module(sqlservr+00010159) (CSQLSource::Execute+00000331)
 * 005F74B6 Module(sqlservr+001F74B6) (CStmtExecStr::XretExecute+0000032E)
 * 0040F403 Module(sqlservr+0000F403) (CMsqlExecContext::ExecuteStmts+000002D9)
 * 0040EA95 Module(sqlservr+0000EA95) (CMsqlExecContext::Execute+000001B6)
 * 00410159 Module(sqlservr+00010159) (CSQLSource::Execute+00000331)
 * 00429DD3 Module(sqlservr+00029DD3) (execrpc+000004CB)
 * 0042904D Module(sqlservr+0002904D) (execute_rpc+00000019)
 * 00410FCE Module(sqlservr+00010FCE) (process_commands+00000210)
 * 41073379 Module(UMS+00003379) (ProcessWorkRequests+0000024A)
 * 41073071 Module(UMS+00003071) (ThreadStartRoutine+000000BD)
 * 7800A27B Module(MSVCRT+0000A27B) (beginthread+000000CE)
 * 77E5758A Module(KERNEL32+0000758A) (SetFilePointer+0000018A)



CAUSE
SQL Server works with double-byte Unicode data internally; therefore, SQL Manager assumes an even length buffer. However, under some unexpected situations the buffer length can become an odd number. For example, this behavior might occur with an invalid Tabular Data Stream (TDS) language event. When the buffer length becomes an odd number, SQL Manager cannot allocate a sufficient memory block. This leads to a potential memory scratch and can cause the access violation that is described in the &quot;Symptoms&quot; section when the relevant memory block is freed later.



RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft SQL Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

290211 INF: How to Obtain the Latest SQL Server 2000 Service Pack

Hotfix

The following hotfix was created before the release of SQL Server 2000 Service Pack 3 (SP3).

The English version of this fix should have the following file attributes or later:   Date         Time   Version         Size        File name -

15-Mar-2002 09:04  2000.80.599.0   7,446,609   Sqlservr.exe Note Because of file dependencies, the most recent hotfix or feature that contains the files may also contain additional files.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section of this article.

Keywords: kbbug kbfix kbqfe kbhotfixserver KB319869

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.