You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Jeremy Sowden (Jira)" <ji...@apache.org> on 2020/01/13 14:54:00 UTC
[jira] [Created] (ZOOKEEPER-3697) zoo_amulti can attempt to free
invalid memory after marshalling errors.
Jeremy Sowden created ZOOKEEPER-3697:
----------------------------------------
Summary: zoo_amulti can attempt to free invalid memory after marshalling errors.
Key: ZOOKEEPER-3697
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3697
Project: ZooKeeper
Issue Type: Bug
Components: c client
Reporter: Jeremy Sowden
{{zoo_amulti}} only initializes request objects if {{rc == ZOK}}, but it unconditionally calls {{free_duplicate_path}}. For example:
{noformat}
case ZOO_CHECK_OP: {
struct CheckVersionRequest req;
rc = rc < 0 ? rc : CheckVersionRequest_init(zh, &req,
op->check_op.path, op->check_op.version);
rc = rc < 0 ? rc : serialize_CheckVersionRequest(oa, "req", &req); enter_critical(zh);
entry = create_completion_entry(zh, h.xid, COMPLETION_VOID, op_result_void_completion, result, 0, 0);
leave_critical(zh);
free_duplicate_path(req.path, op->check_op.path);
break;
}
{noformat}
This means that if there is a marshalling error in one operation, for all the later operations, the request will be initialized, the value of {{req.path}} will be undefined, and {{free_duplicate_path}} may attempt to free an invalid pointer.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)