[CDRIVER-211] Use of uninitialized memory within the mongo_read_response function. Created: 26/Apr/13 Updated: 03/May/17 Resolved: 08/Aug/13 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | 0.7.1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Blocker - P1 |
| Reporter: | Tim Shelton | Assignee: | Gary Murakami |
| Resolution: | Done | Votes: | 0 |
| Labels: | corrupt, crash | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Use of uninitialized value on the stack (len). Fix is included. Hope to see this added ==4699== Thread 14: Issue code: static int mongo_read_response( mongo *conn, mongo_reply **reply ) { mongo_env_read_socket( conn, &head, sizeof( head ) ); bson_little_endian32( &len, &head.len ); Fixed code: static int mongo_read_response( mongo *conn, mongo_reply **reply ) { mongo_env_read_socket( conn, &head, sizeof( head ) ); bson_little_endian32( &len, &head.len ); -------------------------------------------------------------------- — src/mongo.c 2013-04-26 14:59:47.791595035 -0500
mongo_env_read_socket( conn, &head, sizeof( head ) ); |
| Comments |
| Comment by Gary Murakami [ 08/Aug/13 ] |
|
Agreed, fixed by |
| Comment by Paul Melnikow [ 04/Jul/13 ] |
|
Looks like it was fixed in this commit: |
| Comment by Tim Shelton [ 04/Jul/13 ] |
|
Yes, however if the read from the socket fails when writing to len value, bson_little_endian32 fails, then len is an undefined value and continues. Valgrind doesn't lie. I'm just reporting what I find. Tim CTO |
| Comment by Paul Melnikow [ 04/Jul/13 ] |
|
This fix doesn't make sense. The call to bson_little_endian32 writes to len; it doesn't depend on the value of len. |