Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-208

mongo_cursor_get_more has invalid free of cursor->reply

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 0.8.1
    • Affects Version/s: 0.7.1
    • Component/s: None
    • None

      The call "bson_free( cursor->reply );" is invalid, since mongo_cursor_destroy() destroys the reply as well, and the reply field is used a few lines down.

      Patch:

      diff --git a/src/mongo.c b/src/mongo.c
      index c8df093..2673e7f 100644
      — a/src/mongo.c
      +++ b/src/mongo.c
      @@ -1269,7 +1269,6 @@ static int mongo_cursor_get_more( mongo_cursor *cursor ) {
      data = mongo_data_append32( data, &limit );
      mongo_data_append64( data, &cursor->reply->fields.cursorID );

      • bson_free( cursor->reply );
        res = mongo_message_send( cursor->conn, mm );
        if( res != MONGO_OK ) {
        mongo_cursor_destroy( cursor );

            Assignee:
            gjmurakami Gary Murakami
            Reporter:
            basic70 Daniel Brahneborg
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: