Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7801

Potential access to freed memory by Tool::conn()

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.3.1
    • Component/s: Tools
    • Labels:
      None

      Code in question:

          DBClientBase& Tool::conn( bool slaveIfPaired ) {
        if ( slaveIfPaired && _conn->type() == ConnectionString::SET ) {
            if (!_slaveConn) {
                DBClientReplicaSet* rs = static_cast<DBClientReplicaSet*>(_conn);
                _slaveConn = &rs->slaveConn();
            }
            return *_slaveConn;
        }
        return *_conn;
    }

      This method caches _slaveConn from a raw pointer obtained from DBClientReplicaSet::slaveConn. This is very dangerous since DBClientReplicaSet owns the pointer and can decide to free it any time (for example, when secondary was promoted to become a primary, or the read preference/slaveOk setting was different from the last query/command).

      The quick and dirty fix is to never cache slaveConn, ever. The more ideal fix is to not return the raw connection but to instead use the slaveOk bit to perform operations on the secondaries via the DBClientReplicaSet connection object.

      P.S. We should probably also fix this line:

      conn("true").simpleCommand("admin", &isdbgrid, "isdbgrid");

            Assignee:
            Unassigned Unassigned
            Reporter:
            randolph@mongodb.com Randolph Tan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: