[CDRIVER-208] mongo_cursor_get_more has invalid free of cursor->reply Created: 19/Apr/13  Updated: 09/Aug/13  Resolved: 09/Aug/13

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 0.7.1
Fix Version/s: 0.8.1

Type: Bug Priority: Major - P3
Reporter: Daniel Brahneborg Assignee: Gary Murakami
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The call "bson_free( cursor->reply );" is invalid, since mongo_cursor_destroy() destroys the reply as well, and the reply field is used a few lines down.

Patch:

diff --git a/src/mongo.c b/src/mongo.c
index c8df093..2673e7f 100644
— a/src/mongo.c
+++ b/src/mongo.c
@@ -1269,7 +1269,6 @@ static int mongo_cursor_get_more( mongo_cursor *cursor ) {
data = mongo_data_append32( data, &limit );
mongo_data_append64( data, &cursor->reply->fields.cursorID );

  • bson_free( cursor->reply );
    res = mongo_message_send( cursor->conn, mm );
    if( res != MONGO_OK ) {
    mongo_cursor_destroy( cursor );


 Comments   
Comment by Daniel Brahneborg [ 09/Aug/13 ]

It's kind of irrelevant due to CDRIVER-209 anyway.

/Daniel

Comment by auto [ 09/Aug/13 ]

Author:

{u'username': u'gjmurakami-10gen', u'name': u'Gary J. Murakami', u'email': u'gary.murakami@10gen.com'}

Message: CDRIVER-208 [undo] mongo_cursor_get_more has invalid free of cursor->reply
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/023cc162d19d8559c88f4f5e513b992a2bb4fcb9

Comment by Gary Murakami [ 09/Aug/13 ]

On further investigation, the line in question is needed to free previously allocated memory. Removing it causes a memory leak which is caught/verified by valgrind.

Comment by auto [ 08/Aug/13 ]

Author:

{u'username': u'gjmurakami-10gen', u'name': u'Gary J. Murakami', u'email': u'gary.murakami@10gen.com'}

Message: mongo_cursor_get_more has invalid free of cursor->reply

CDRIVER-208
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/6a02a963c3b848fbcf38c358bbaf0877d1deabf5

Generated at Wed Feb 07 21:08:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.