-
Type: Bug
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: libmongoc
-
None
When discussing CDRIVER-3438, the following scenario seems like a very possible bug in libmongoc:
Create an exhaust cursor against server S1. This sets mongoc_client_t's in_exhaust flag to true. Since S1 expects to stream all documents requested, the socket to S1 can only be read from (and must be closed when done) in mongoc_cursor_destroy.
While the mongoc_client_t is still in_exhuast, call mongoc_client_select_server, triggering a topology scan. Since there is no check of client->in_exhaust in mongoc-async-cmd.c, the scan will attempt to send an isMaster on the same socket to S1. This will result in an out-of-bound write to the socket.
Note, I believe this bug would only appear if the user were to call mongoc_client_select_server while the client was in exhaust. Other operations that would otherwise do I/O would check (and correctly error) in the common I/O code path of mongoc-cluster.c.
- is related to
-
CDRIVER-3438 Destroy exhaust cursor socket in mongoc_cursor_destroy regardless of client generation
- Closed