[jira] [Comment Edited] (IGNITE-21556) ODBC 3.0: Use after free in SQLExecDirect

Fri, 17 Oct 2025 17:02:06 -0700 


    [ 
https://issues.apache.org/jira/browse/IGNITE-21556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18029799#comment-18029799
 ] 

Igor Sapego edited comment on IGNITE-21556 at 10/14/25 2:39 PM:
----------------------------------------------------------------

I've implemented the test that shows the issue. The issue really happens, but 
I've checked the documentation and it seems to be a user code bug, as the user 
have to unbind all the parameters before de-allocating them. We should keep 
bindings to parameters from call to call according to the specification. So 
I've fixed the test and made sure it works.

Ready for review. [~ptupitsyn], can you take a look?


was (Author: isapego):
Ready for review. [~ptupitsyn], can you take a look?

> ODBC 3.0: Use after free in SQLExecDirect
> -----------------------------------------
>
>                 Key: IGNITE-21556
>                 URL: https://issues.apache.org/jira/browse/IGNITE-21556
>             Project: Ignite
>          Issue Type: Bug
>          Components: platforms
>    Affects Versions: 3.0
>            Reporter: Dmitrii Zabotlin
>            Assignee: Igor Sapego
>            Priority: Major
>              Labels: ignite-3
>             Fix For: 3.1
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> There is a use-after-free bug in the ODBC platforms code.
> Steps to reproduce:
> 1. Execute query with parameters previously bound.
> 2. Execute another query on top of the same statement without parameters (for 
> example, SELECT).
> If previous parameter arrays are already freed crash will occur here:
> {code:java}
> void parameter::reset_stored_data() {
>     m_stored_data.clear();
>     if (m_buffer.is_data_at_exec())
>         m_stored_data.reserve(m_buffer.get_data_at_exec_size());
> } {code}
> Method is_data_at_exec reads buffer content:
> {code:java}
> bool application_data_buffer::is_data_at_exec() const {
>     const SQLLEN *res_len_ptr = get_result_len();
>     if (!res_len_ptr)
>         return false;
>     auto s_len = static_cast<std::int32_t>(*res_len_ptr);
>     return s_len <= SQL_LEN_DATA_AT_EXEC_OFFSET || s_len == SQL_DATA_AT_EXEC;
> }{code}
> If parameter type is variable length type, for example, string, res_len_ptr 
> will not be null and we will read from freed memory.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to