[
https://issues.apache.org/jira/browse/ZOOKEEPER-4809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
fanyang updated ZOOKEEPER-4809:
-------------------------------
Description:
{code:c}
void *do_completion(void *v)
{
zhandle_t *zh = v;
// ...
api_epilog(zh, 0);
// L1
LOG_DEBUG(LOGCALLBACK(zh), "completion thread terminated"); // L2
return 0;
}
{code}
When the log level is debug, L2 gets the log calback after zookeeper_close(),
causes uaf.
> do_completion() use-after-free when log level is debug
> ------------------------------------------------------
>
> Key: ZOOKEEPER-4809
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4809
> Project: ZooKeeper
> Issue Type: Bug
> Components: c client
> Reporter: fanyang
> Priority: Minor
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {code:c}
> void *do_completion(void *v)
> {
> zhandle_t *zh = v;
> // ...
> api_epilog(zh, 0);
> // L1
> LOG_DEBUG(LOGCALLBACK(zh), "completion thread terminated"); // L2
> return 0;
> }
> {code}
> When the log level is debug, L2 gets the log calback after zookeeper_close(),
> causes uaf.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
