[
https://issues.apache.org/jira/browse/IGNITE-21556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18029806#comment-18029806
]
Pavel Tupitsyn commented on IGNITE-21556:
-----------------------------------------
Looks good to me.
> ODBC 3.0: Use after free in SQLExecDirect
> -----------------------------------------
>
> Key: IGNITE-21556
> URL: https://issues.apache.org/jira/browse/IGNITE-21556
> Project: Ignite
> Issue Type: Bug
> Components: platforms
> Affects Versions: 3.0
> Reporter: Dmitrii Zabotlin
> Assignee: Igor Sapego
> Priority: Major
> Labels: ignite-3
> Fix For: 3.1
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> There is a use-after-free bug in the ODBC platforms code.
> Steps to reproduce:
> 1. Execute query with parameters previously bound.
> 2. Execute another query on top of the same statement without parameters (for
> example, SELECT).
> If previous parameter arrays are already freed crash will occur here:
> {code:java}
> void parameter::reset_stored_data() {
> m_stored_data.clear();
> if (m_buffer.is_data_at_exec())
> m_stored_data.reserve(m_buffer.get_data_at_exec_size());
> } {code}
> Method is_data_at_exec reads buffer content:
> {code:java}
> bool application_data_buffer::is_data_at_exec() const {
> const SQLLEN *res_len_ptr = get_result_len();
> if (!res_len_ptr)
> return false;
> auto s_len = static_cast<std::int32_t>(*res_len_ptr);
> return s_len <= SQL_LEN_DATA_AT_EXEC_OFFSET || s_len == SQL_DATA_AT_EXEC;
> }{code}
> If parameter type is variable length type, for example, string, res_len_ptr
> will not be null and we will read from freed memory.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
