Calling session methods after Session::endSession() causes use-after-free crash

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Critical - P2
    • 1.5.2
    • Affects Version/s: 1.5.0
    • Component/s: None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Session::endSession() calls mongoc_client_session_destroy(), which frees the session object; however, it leaves the intern->client_session as-is. This can lead to a double-free (later from php_phongo_session_free_object()) or possible use-after-free bugs due to other methods. The double-free case is trivially fixed by assigning NULL after calling mongoc_client_session_destroy() but the use-after-free fix will require additional checks in other methods that currently assume intern->client_session is non-null.

      Note: We typically don't assign NULL to our resource pointers after destroying them because that destruction happens during a free_object handler and the zval struct will soon be freed; however that is not the case for endSession().

              Assignee:
              Derick Rethans
              Reporter:
              Jeremy Mikola
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: