yxscc commented on issue #811: URL: https://github.com/apache/celix/issues/811#issuecomment-3697998845
Additional finding: the same race/UAF exists in deprecated `serviceTracker_getServices`. The returned array holds raw service pointers without retaining useCount; during concurrent unregister, `serviceTracker_untrackTracked` ungets and frees the tracked entry, leaving array entries dangling. Repro: two threads — one repeatedly calls `serviceTracker_getServices` and touches entries; the other repeatedly unregisters/re-registers the same service (freeing the old instance). In Debug/ASan, the gtest `ServiceTrackerUafGetServicesTestSuite.DeprecatedGetServicesReturnsFreedPointers` crashes with `free(): invalid size` (exit 134), showing that `getServices` can return freed objects under unregister races. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
