[
https://issues.apache.org/jira/browse/AXIS2C-1236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski resolved AXIS2C-1236.
-------------------------------------
Fix Version/s: 2.0.0
(was: 1.7.0)
Resolution: Fixed
axiom_soap_body_convert_fault_to_soap11() was retrieving fault components
one at a time, freeing nodes between retrieval calls. This caused
use-after-free because the SOAP builder's internal last_node pointer
could still reference freed memory when the next component was retrieved.
Valgrind reported:
Invalid read in axiom_node_is_complete (om_node.c:991)
Address is inside a block free'd by axiom_node_free_tree
The fix retrieves ALL fault components (code, reason, role, detail)
upfront before any modification or freeing. This ensures the SOAP
builder completes parsing the entire fault structure before nodes
are freed, preventing dangling pointer access.
> Memory issues in Axis2/C service client
> ---------------------------------------
>
> Key: AXIS2C-1236
> URL: https://issues.apache.org/jira/browse/AXIS2C-1236
> Project: Axis2-C
> Issue Type: Bug
> Components: core/clientapi
> Affects Versions: 1.4.0
> Environment: Linux, Axis2/C 1.4.0, Rampart/C 1.2.0
> Reporter: Chris Rose
> Priority: Major
> Fix For: 2.0.0
>
>
> Some memory errors are cropping up when I run the client API through
> valgrind, some of which are leaks, others of which are problems with
> accessing previously-freed memory.
> When calling axis2_svc_client_send_receive, there is an invalid read from a
> previously-freed AXIOM node structure. This occurs during SOAP fault
> processing:
> ==17373== Invalid read of size 4
> ==17373== at 0x4544A82: axiom_node_is_complete (om_node.c:991)
> ==17373== by 0x454E5FE: axiom_stax_builder_end_element
> (om_stax_builder.c:755)
> ==17373== by 0x454EF51: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1154)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x455099D: axiom_soap_fault_get_reason (soap_fault.c:274)
> ==17373== by 0x4557791: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:422)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== Address 0x4455bb8 is 32 bytes inside a block of size 40 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x4543886: axiom_node_free_detached_subtree (om_node.c:154)
> ==17373== by 0x4543760: axiom_node_free_detached_subtree (om_node.c:106)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373==
> ==17373== Invalid read of size 4
> ==17373== at 0x4544883: axiom_node_get_parent (om_node.c:876)
> ==17373== by 0x454E617: axiom_stax_builder_end_element
> (om_stax_builder.c:757)
> ==17373== by 0x454EF51: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1154)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x455099D: axiom_soap_fault_get_reason (soap_fault.c:274)
> ==17373== by 0x4557791: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:422)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== Address 0x4455ba0 is 8 bytes inside a block of size 40 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x4543886: axiom_node_free_detached_subtree (om_node.c:154)
> ==17373== by 0x4543760: axiom_node_free_detached_subtree (om_node.c:106)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373==
> ==17373== Invalid write of size 4
> ==17373== at 0x4544ED1: axiom_node_set_complete (om_node.c:1117)
> ==17373== by 0x454E63A: axiom_stax_builder_end_element
> (om_stax_builder.c:760)
> ==17373== by 0x454EF51: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1154)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x455099D: axiom_soap_fault_get_reason (soap_fault.c:274)
> ==17373== by 0x4557791: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:422)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== Address 0x4455268 is 32 bytes inside a block of size 40 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x4543886: axiom_node_free_detached_subtree (om_node.c:154)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== by 0x4030C01: Tcl_EvalObjEx (tclBasic.c:4004)
> ==17373==
> ==17373== Invalid read of size 4
> ==17373== at 0x4544A82: axiom_node_is_complete (om_node.c:991)
> ==17373== by 0x454DE65: axiom_stax_builder_create_om_element
> (om_stax_builder.c:540)
> ==17373== by 0x454EEF7: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1133)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x455099D: axiom_soap_fault_get_reason (soap_fault.c:274)
> ==17373== by 0x4557791: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:422)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== Address 0x4455268 is 32 bytes inside a block of size 40 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x4543886: axiom_node_free_detached_subtree (om_node.c:154)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== by 0x4030C01: Tcl_EvalObjEx (tclBasic.c:4004)
> ==17373==
> ==17373== Invalid read of size 4
> ==17373== at 0x4544883: axiom_node_get_parent (om_node.c:876)
> ==17373== by 0x454DE82: axiom_stax_builder_create_om_element
> (om_stax_builder.c:542)
> ==17373== by 0x454EEF7: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1133)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x455099D: axiom_soap_fault_get_reason (soap_fault.c:274)
> ==17373== by 0x4557791: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:422)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== Address 0x4455250 is 8 bytes inside a block of size 40 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x4543886: axiom_node_free_detached_subtree (om_node.c:154)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== by 0x4030C01: Tcl_EvalObjEx (tclBasic.c:4004)
> ==17373==
> ==17373== Invalid write of size 4
> ==17373== at 0x4544D0C: axiom_node_set_next_sibling (om_node.c:1065)
> ==17373== by 0x454DEE5: axiom_stax_builder_create_om_element
> (om_stax_builder.c:554)
> ==17373== by 0x454EEF7: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1133)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x455099D: axiom_soap_fault_get_reason (soap_fault.c:274)
> ==17373== by 0x4557791: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:422)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== Address 0x4455258 is 16 bytes inside a block of size 40 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x4543886: axiom_node_free_detached_subtree (om_node.c:154)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== by 0x40618BB: TclExecuteByteCode (tclExecute.c:1404)
> ==17373== by 0x4060A55: TclCompEvalObj (tclExecute.c:982)
> ==17373== by 0x4030C01: Tcl_EvalObjEx (tclBasic.c:4004)
> ==17373==
> ==17373== Invalid read of size 1
> ==17373== at 0x451930C: axutil_hash_find_entry (hash.c:307)
> ==17373== by 0x45195A3: axutil_hash_set (hash.c:395)
> ==17373== by 0x454DB72: axiom_stax_builder_process_namespaces
> (om_stax_builder.c:437)
> ==17373== by 0x454E010: axiom_stax_builder_create_om_element
> (om_stax_builder.c:579)
> ==17373== by 0x454EEF7: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1133)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x4550D6C: axiom_soap_fault_get_detail (soap_fault.c:417)
> ==17373== by 0x4557976: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:506)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== Address 0x4455558 is 0 bytes inside a block of size 5 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x451DCAA: axutil_string_free (string.c:206)
> ==17373== by 0x454C14B: axiom_namespace_free (om_namespace.c:102)
> ==17373== by 0x4548508: axiom_element_free (om_element.c:717)
> ==17373== by 0x454379C: axiom_node_free_detached_subtree (om_node.c:115)
> ==17373== by 0x4543760: axiom_node_free_detached_subtree (om_node.c:106)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373==
> ==17373== Invalid read of size 1
> ==17373== at 0x451930C: axutil_hash_find_entry (hash.c:307)
> ==17373== by 0x451955B: axutil_hash_get (hash.c:380)
> ==17373== by 0x454DBF6: axiom_stax_builder_process_namespaces
> (om_stax_builder.c:457)
> ==17373== by 0x454E010: axiom_stax_builder_create_om_element
> (om_stax_builder.c:579)
> ==17373== by 0x454EEF7: axiom_stax_builder_next_with_token
> (om_stax_builder.c:1133)
> ==17373== by 0x4558F9D: axiom_soap_builder_next (soap_builder.c:300)
> ==17373== by 0x4550D6C: axiom_soap_fault_get_detail (soap_fault.c:417)
> ==17373== by 0x4557976: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:506)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> ==17373== by 0x402FA62: TclEvalObjvInternal (tclBasic.c:3084)
> ==17373== Address 0x4455558 is 0 bytes inside a block of size 5 free'd
> ==17373== at 0x400543C: free (vg_replace_malloc.c:323)
> ==17373== by 0x4519EA3: axutil_allocator_free_impl (allocator.c:91)
> ==17373== by 0x451DCAA: axutil_string_free (string.c:206)
> ==17373== by 0x454C14B: axiom_namespace_free (om_namespace.c:102)
> ==17373== by 0x4548508: axiom_element_free (om_element.c:717)
> ==17373== by 0x454379C: axiom_node_free_detached_subtree (om_node.c:115)
> ==17373== by 0x4543760: axiom_node_free_detached_subtree (om_node.c:106)
> ==17373== by 0x45438BC: axiom_node_free_tree (om_node.c:178)
> ==17373== by 0x4557765: axiom_soap_body_convert_fault_to_soap11
> (soap_body.c:413)
> ==17373== by 0x45BF00C: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:932)
> ==17373== by 0x45BF082: axis2_svc_client_send_receive (svc_client.c:949)
> ==17373== by 0x44F7DBF: Axis2c_cmd_svc_client (axis2c_api.c:487)
> The fault message is this (note the malformed SOAP fault, this is a bug I
> submitted last week):
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";>
> <soapenv:Header/>
> <soapenv:Body>
> <soapenv:Fault>
> <faultcode>
> <Subcode
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <Value>wsse:FailedCheck</Value>
> </Subcode>soapenv:Sender
> </faultcode>
> <faultstring>Could not find signature</faultstring>
> <detail>
> <wsse:ProblemSecurityHeader
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>wsse:InvalidSecurity</wsse:ProblemSecurityHeader>
> </detail>
> </soapenv:Fault>
> </soapenv:Body></soapenv:Envelope>
> Second, there is a leak in the client:
> ==17373== 76 (20 direct, 56 indirect) bytes in 1 blocks are definitely lost
> in loss record 8 of 56
> ==17373== at 0x4005898: malloc (vg_replace_malloc.c:207)
> ==17373== by 0x4519E56: axutil_allocator_malloc_impl (allocator.c:74)
> ==17373== by 0x451F151: axutil_qname_create (qname.c:62)
> ==17373== by 0x489852C: rp_issued_token_builder_build
> (issued_token_builder.c:89)
> ==17373== by 0x4891A3A: neethi_assertion_builder_build
> (assertion_builder.c:752)
> ==17373== by 0x488C870: process_operation_element (engine.c:486)
> ==17373== by 0x488BFAD: get_operator_neethi_policy (engine.c:246)
> ==17373== by 0x488B91A: neethi_engine_get_policy (engine.c:88)
> ==17373== by 0x4892837: rp_supporting_tokens_builder_build
> (supporting_tokens_builder.c:100)
> ==17373== by 0x4890829: neethi_assertion_builder_build
> (assertion_builder.c:338)
> ==17373== by 0x488C870: process_operation_element (engine.c:486)
> ==17373== by 0x488BA74: get_operator_all (engine.c:117)
> ==17373==
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
