[
https://issues.apache.org/jira/browse/AXIS2C-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski resolved AXIS2C-1355.
-------------------------------------
Fix Version/s: 2.0.0
Resolution: Fixed
When axis2_svc_client_set_options() was called to replace options, the old
options were freed. However, if an op_client existed (created during a
previous send_receive), it still held a pointer to the freed options.
When op_client was later freed, it accessed this dangling pointer causing
a use-after-free.
The fix adds axis2_op_client_set_options_ref() which updates the options
pointer without freeing, and calls it from axis2_svc_client_set_options()
to keep op_client->options in sync with svc_client->options.
> Changing service client options between messages
> ------------------------------------------------
>
> Key: AXIS2C-1355
> URL: https://issues.apache.org/jira/browse/AXIS2C-1355
> Project: Axis2-C
> Issue Type: Bug
> Components: core/clientapi
> Affects Versions: 1.6.0
> Environment: Axis2/C from svn (26 Feb 2009)
> Linux 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386
> GNU/Linux
> Reporter: Rutger van Eerd
> Priority: Major
> Fix For: 2.0.0
>
>
> I want to use a single service client to send multiple messages, with
> different options (i.e. SOAP action). Basicly I do the following.
> 1. Create service client object.
> 2. Create options object and set options.
> 3. Set options to service client (axis2_svc_client_set_options).
> 4. Execute message (axis2_svc_client_send_receive).
> 5. Create new options object and set new options.
> 6. Set new options to service client (axis2_svc_client_set_options).
> 7. Execute new message (axis2_svc_client_send_receive).
> When doing step 7, I get the following message when running under Valgrind.
> ==3630== Invalid read of size 4
> ==3630== at 0x40954A2: axis2_options_get_xml_parser_reset (options.c:883)
> ==3630== by 0x4095E02: axis2_op_client_free (op_client.c:655)
> ==3630== by 0x4097D2E: axis2_svc_client_create_op_client
> (svc_client.c:1072)
> ==3630== by 0x4099735: axis2_svc_client_send_receive_with_op_qname
> (svc_client.c:835)
> ==3630== by 0x4099A1C: axis2_svc_client_send_receive (svc_client.c:939)
> ==3630== by 0x80496BA: main (client.cpp:273)
> ==3630== Address 0x427CD4C is 60 bytes inside a block of size 64 free'd
> ==3630== at 0x4004EFA: free (vg_replace_malloc.c:235)
> ==3630== by 0x4010E82: axutil_allocator_free_impl (allocator.c:92)
> ==3630== by 0x40951D8: axis2_options_free (options.c:787)
> ==3630== by 0x409785D: axis2_svc_client_set_options (svc_client.c:376)
> ==3630== by 0x804961F: main (client.cpp:261)
> My guess is that the op_client tries to access the old options object from
> step 2/3. This is no longer valid as it has been freed when setting the new
> options (step 6).
> Or is svc_client not designed to send multiple messages with different
> options?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
