[
https://issues.apache.org/jira/browse/ZOOKEEPER-3697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jeremy Sowden updated ZOOKEEPER-3697:
-------------------------------------
Description:
{{zoo_amulti}} only initializes request objects if {{rc == ZOK}}, but it
unconditionally calls {{free_duplicate_path}}. For example:
{noformat}
case ZOO_CHECK_OP: {
struct CheckVersionRequest req;
rc = rc < 0 ? rc : CheckVersionRequest_init(zh, &req,
op->check_op.path,
op->check_op.version);
rc = rc < 0 ? rc : serialize_CheckVersionRequest(oa, "req",
&req);
enter_critical(zh);
entry = create_completion_entry(zh, h.xid, COMPLETION_VOID,
op_result_void_completion, result, 0, 0);
leave_critical(zh);
free_duplicate_path(req.path, op->check_op.path);
break;
}
{noformat}
This means that if there is a marshalling error in one operation, for all the
later operations, the request will be initialized, the value of {{req.path}}
will be undefined, and {{free_duplicate_path}} may attempt to free an invalid
pointer.
was:
{{zoo_amulti}} only initializes request objects if {{rc == ZOK}}, but it
unconditionally calls {{free_duplicate_path}}. For example:
{noformat}
case ZOO_CHECK_OP: {
struct CheckVersionRequest req;
rc = rc < 0 ? rc : CheckVersionRequest_init(zh, &req,
op->check_op.path,
op->check_op.version);
rc = rc < 0 ? rc : serialize_CheckVersionRequest(oa, "req",
&req); enter_critical(zh);
entry = create_completion_entry(zh, h.xid, COMPLETION_VOID,
op_result_void_completion, result, 0, 0);
leave_critical(zh);
free_duplicate_path(req.path, op->check_op.path);
break;
}
{noformat}
This means that if there is a marshalling error in one operation, for all the
later operations, the request will be initialized, the value of {{req.path}}
will be undefined, and {{free_duplicate_path}} may attempt to free an invalid
pointer.
> zoo_amulti can attempt to free invalid memory after marshalling errors.
> -----------------------------------------------------------------------
>
> Key: ZOOKEEPER-3697
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3697
> Project: ZooKeeper
> Issue Type: Bug
> Components: c client
> Reporter: Jeremy Sowden
> Priority: Minor
>
> {{zoo_amulti}} only initializes request objects if {{rc == ZOK}}, but it
> unconditionally calls {{free_duplicate_path}}. For example:
> {noformat}
> case ZOO_CHECK_OP: {
> struct CheckVersionRequest req;
> rc = rc < 0 ? rc : CheckVersionRequest_init(zh, &req,
> op->check_op.path,
> op->check_op.version);
> rc = rc < 0 ? rc : serialize_CheckVersionRequest(oa, "req",
> &req);
> enter_critical(zh);
> entry = create_completion_entry(zh, h.xid, COMPLETION_VOID,
> op_result_void_completion, result, 0, 0);
> leave_critical(zh);
> free_duplicate_path(req.path, op->check_op.path);
> break;
> }
> {noformat}
> This means that if there is a marshalling error in one operation, for all the
> later operations, the request will be initialized, the value of {{req.path}}
> will be undefined, and {{free_duplicate_path}} may attempt to free an invalid
> pointer.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
