a full daily CI: https://github.com/enjoy-binbin/redis/actions/runs/2750957825
test-sanitizer-undefined (clang) passed

there's something i'm still missing.

we're talking of this line, right:

    *cursor = (clusterMsgPingExt *) (ext->name + sizeof(clusterMsgPingExtForgottenNode));

ext is of type clusterMsgPingExtForgottenNode declared as:

typedef struct {
    char name[CLUSTER_NAMELEN]; /* Node name. */
    uint64_t ttl; /* Remaining time to blacklist the node, in seconds. */
} clusterMsgPingExtForgottenNode;

so if ext->name is is CLUSTER_NAMELEN, and ext is 8 bytes bigger, this line reaches beyond name and actually also beyond ext.
actually, considering that name is the first member, the result is the same as doing *cursor = etx+1.
was that what we meant? i don't see that it's allocated as an array..

@madolson please have a look.

ohh, i missed the fact it is casted to clusterMsgPingExt, and all of this math:

    estlen = sizeof(clusterMsg) - sizeof(union clusterMsgData);
    estlen += (sizeof(clusterMsgDataGossip)*(wanted + pfail_wanted));
    estlen += getHostnamePingExtSize();
    estlen += dictSize(server.cluster->nodes_black_list) *
        (sizeof(clusterMsgPingExt) + sizeof(clusterMsgPingExtForgottenNode));

    /* Note: clusterBuildMessageHdr() expects the buffer to be always at least
     * sizeof(clusterMsg) or more. */
    if (estlen < (int)sizeof(clusterMsg)) estlen = sizeof(clusterMsg);
    buf = zcalloc(estlen);

well, maybe we can declare a struct for all of that instead messing with offsets?

@enjoy-binbin can you check if doing this will also solve the problem (i.e. avoid using name)?

    *cursor = (clusterMsgPingExt *) (ext + sizeof(clusterMsgPingExtForgottenNode));

i rather not silence warnings in that area since it has a chance to hide other issues, and that code seems dangerous so i rather not do that.

ok, i triggered a daily: https://github.com/enjoy-binbin/redis/actions/runs/2753457376

i rather not silence warnings in that area since it has a chance to hide other issues, and that code seems dangerous so i rather not do that.

agree. my first thinking is also use ext, but I don't really want to modify the code, it is following the writeHostnamePingExt.
anyway, i see using ext can also solve the problem (the daily passed), i'll modify it first

int writeHostnamePingExt(clusterMsgPingExt **cursor) {
    /* If hostname is not set, we don't send this extension */
    if (sdslen(myself->hostname) == 0) return 0;

    /* Add the hostname information at the extension cursor */
    clusterMsgPingExtHostname *ext = &(*cursor)->ext[0].hostname;
    memcpy(ext->hostname, myself->hostname, sdslen(myself->hostname));
    uint32_t extension_size = getHostnamePingExtSize();

    /* Move the write cursor */
    (*cursor)->type = htons(CLUSTERMSG_EXT_TYPE_HOSTNAME);
    (*cursor)->length = htonl(extension_size);
    /* Make sure the string is NULL terminated by adding 1 */
    *cursor = (clusterMsgPingExt *) (ext->hostname + EIGHT_BYTE_ALIGN(sdslen(myself->hostname) + 1));
    return extension_size;
}

testing the final thing with sanitizers:
https://github.com/redis/redis/actions/runs/2755772154