Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-740

Use-after-free if a primary doesn't report itself in hosts lists

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.2-beta0
    • Affects Version/s: 1.2.0
    • Component/s: libmongoc
    • Labels:
      None

      Bug in unreleased code, in implementation of Server Discovery And Monitoring Spec.

      In the hosts_differ_from_seeds test, the driver connects to "a" and finds a primary whose host list is ["b"]. The primary does not include "a" in its own hosts list.

      The driver adds "b" to its topology description, then iterates the topology description removing servers missing from the hosts list from "a". When it removes the server description for "a" it calls mongoc_server_description_cleanup, which frees the server description for "a", including its hosts list. It then continues iterating the topology description, and checks if "b" is in the hosts list reported by "a".

      Thus the driver accesses the hosts list reported by "a" after freeing that list.

      So far I've observed either no error from this sequence, or an apparent logic error in "hosts_differ_from_seeds":

      Assert Failure: 1 == 0
tests/test-mongoc-sdam.c:150  test_sdam_cb()

      A segfault is only a matter of time, however.

            Assignee:
            jesse@mongodb.com A. Jesse Jiryu Davis
            Reporter:
            jesse@mongodb.com A. Jesse Jiryu Davis
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: