You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Michael Han (JIRA)" <ji...@apache.org> on 2017/03/13 16:22:12 UTC

[jira] [Updated] (ZOOKEEPER-2414) c-client aborted when operate's path is invalid in zoo_amulti

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Han updated ZOOKEEPER-2414:
-----------------------------------
    Fix Version/s:     (was: 3.4.11)
                       (was: 3.5.3)
                   3.5.4

> c-client aborted when operate's path is invalid in zoo_amulti 
> --------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2414
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2414
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: c client
>    Affects Versions: 3.4.6, 3.4.8
>            Reporter: Tianyi Zhang
>            Assignee: Meyer Kizner
>            Priority: Critical
>             Fix For: 3.5.4, 3.6.0
>
>         Attachments: ZOOKEEPER-2414.patch
>
>
> code like this:
> {code}
> zoo_op_t ops[2];
> zoo_op_result_t results[2];
> zoo_create_op_init(ops, "test", "1", 1, &ZOO_OPEN_ACL_UNSAFE, 0, NULL, 0);
> zoo_create_op_init(ops+1, "/test/1", "2", 1, &ZOO_OPEN_ACL_UNSAFE, 0, NULL, 0);
> zoo_multi(zkhandle, 2, ops, results);
> {code}
> The ops->path is invalid, and it will cause double free in the line 3136 of zookeeper.c.
> {code}
> for (index=0; index < count; index++) {
>         const zoo_op_t *op = ops+index;
>         zoo_op_result_t *result = results+index;
>         completion_list_t *entry = NULL;
>         struct MultiHeader mh = { STRUCT_INITIALIZER(type, op->type), STRUCT_INITIALIZER(done, 0),    STRUCT_INITIALIZER(err, -1) };
>         rc = rc < 0 ? rc : serialize_MultiHeader(oa, "multiheader", &mh);
>         switch(op->type) {
>             case ZOO_CREATE_OP: {
>                 struct CreateRequest req;
>                 rc = rc < 0 ? rc : CreateRequest_init(zh, &req,
>                                         op->create_op.path, op->create_op.data,
>                                         op->create_op.datalen, op->create_op.acl,
>                                         op->create_op.flags);
>                 rc = rc < 0 ? rc : serialize_CreateRequest(oa, "req", &req);
>                 result->value = op->create_op.buf;
>                 result->valuelen = op->create_op.buflen;
>                 enter_critical(zh);
>                 entry = create_completion_entry(h.xid, COMPLETION_STRING, op_result_string_completion, result, 0, 0);
>                 leave_critical(zh);
> -->             free_duplicate_path(req.path, op->create_op.path);
>                 break;
>             }
> {code}
> This problem will happen when the 'rc' of last op is less than 0(maybe ZBADARGUMENTS or ZINVALIDSTATE).
> In my case, rc of op[0] is  ZBADARGUMENTS, and the req.path of the ‘free_duplicate_path’ is still 'test' when execute op[1]. 
> I‘m confused about why not break the for-loop  when the 'rc' is  less than 0?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)