Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-880

mongoc_collection_aggregate might return a destroyed cursor

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.2-rc0
    • Affects Version/s: 1.2-beta1
    • Component/s: libmongoc
    • None

      mongoc_collection_aggregate has a check for cursor validity, and if it fails, calls mongoc_cursor_destroy (around line 300 in mongoc-collection.c.

      This code can be reached in situations when the mongodb server misbehaves, returns an invalid cursor, has a memory issue, or just crashes.

      The destroyed cursor is then returned to the caller, which usually quickly identifies it is invalid, and calls mongoc_cursor_destroy, which leads to a double-free crash.

      The example code given in http://api.mongodb.org/c/current/aggregate.html will crash if this occurs.

      It looks like this was working before by creating a dummy cursor, but this code was removed in commit 346349d8d1e721e782d (as part of CDRIVER-735).

            Assignee:
            kyle.suarez@mongodb.com Kyle Suarez
            Reporter:
            yhager Yuval Hager
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: