[jira] [Comment Edited] (THRIFT-2490) c_glib: if fail to read a exception from server, client may be occurred double free

Tue, 22 Apr 2014 00:54:13 -0700 

    [ 
https://issues.apache.org/jira/browse/THRIFT-2490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13976498#comment-13976498
 ] 

Jaesang Kim edited comment on THRIFT-2490 at 4/22/14 7:53 AM:
--------------------------------------------------------------

in *generated* recv function, there is a routine for read a exception from 
server.
if fail to read a exception, unreferencing the object but do not set pointer to 
NULL.
so, in this situation client corrupt by bad pointer error.
{code}
gboolean t_h_base_service_client_recv_get (THBaseServiceIf * iface, TResult ** 
_return, TIOError ** io, GError ** error)
{
...
        case 1:
          if (ftype == T_STRUCT)
          {
            /* This struct is an exception */
            if ( *io != NULL)
            {
              g_object_unref (*io);
            }
            *io = g_object_new (TYPE_T_I_O_ERROR, NULL);
            if ((ret = thrift_struct_read (THRIFT_STRUCT (*io), protocol, 
error)) < 0)
            {
              g_object_unref (*io);                   // <-- need to set io 
pointer to NULL
              return 0;
            }
            xfer += ret;
          } else {
            if ((ret = thrift_protocol_skip (protocol, ftype, error)) < 0)
              return 0;
            xfer += ret;
          }
          break;
...
}
{code}

In client code:
{code}
if (!t_h_base_service_client_get(if, &return, &io, &error)) {
  ...
  if (io) {
    g_object_unref(io);      // if io pointer is invalid, double free error.
  }
  ...
}
{code}


was (Author: hsleep):
in recv function, there is a routine for read a exception from server.
if fail to read a exception, unreferencing the object but do not set pointer to 
NULL.
so, in this situation client corrupt by bad pointer error.
{code}
gboolean t_h_base_service_client_recv_get (THBaseServiceIf * iface, TResult ** 
_return, TIOError ** io, GError ** error)
{
...
        case 1:
          if (ftype == T_STRUCT)
          {
            /* This struct is an exception */
            if ( *io != NULL)
            {
              g_object_unref (*io);
            }
            *io = g_object_new (TYPE_T_I_O_ERROR, NULL);
            if ((ret = thrift_struct_read (THRIFT_STRUCT (*io), protocol, 
error)) < 0)
            {
              g_object_unref (*io);                   // <-- need to set io 
pointer to NULL
              return 0;
            }
            xfer += ret;
          } else {
            if ((ret = thrift_protocol_skip (protocol, ftype, error)) < 0)
              return 0;
            xfer += ret;
          }
          break;
...
}
{code}

In client code:
{code}
if (!t_h_base_service_client_get(if, &return, &io, &error)) {
  ...
  if (io) {
    g_object_unref(io);      // if io pointer is invalid, double free error.
  }
  ...
}
{code}

> c_glib: if fail to read a exception from server, client may be occurred 
> double free 
> ------------------------------------------------------------------------------------
>
>                 Key: THRIFT-2490
>                 URL: https://issues.apache.org/jira/browse/THRIFT-2490
>             Project: Thrift
>          Issue Type: Bug
>          Components: C glib - Compiler
>    Affects Versions: 0.9.1
>         Environment: linux
>            Reporter: Jaesang Kim
>         Attachments: thrift-2490_set_null_freed_exception_object.patch
>
>
> if fail to read a exception from server, client may be occurred double free.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to