Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7801

Potential access to freed memory by Tool::conn()

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • 2.3.1
    • Tools
    • None

    Description

      Code in question:

          DBClientBase& Tool::conn( bool slaveIfPaired ) {
              if ( slaveIfPaired && _conn->type() == ConnectionString::SET ) {
                  if (!_slaveConn) {
                      DBClientReplicaSet* rs = static_cast<DBClientReplicaSet*>(_conn);
                      _slaveConn = &rs->slaveConn();
                  }
                  return *_slaveConn;
              }
              return *_conn;
          }

      This method caches _slaveConn from a raw pointer obtained from DBClientReplicaSet::slaveConn. This is very dangerous since DBClientReplicaSet owns the pointer and can decide to free it any time (for example, when secondary was promoted to become a primary, or the read preference/slaveOk setting was different from the last query/command).

      The quick and dirty fix is to never cache slaveConn, ever. The more ideal fix is to not return the raw connection but to instead use the slaveOk bit to perform operations on the secondaries via the DBClientReplicaSet connection object.

      P.S. We should probably also fix this line:

      conn("true").simpleCommand("admin", &isdbgrid, "isdbgrid");

      Attachments

        Activity

          People

            Unassigned Unassigned
            randolph@mongodb.com Randolph Tan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: