[CDRIVER-2533] Double free in Kerberos auth logic Created: 07/Mar/18 Updated: 28/Oct/23 Resolved: 12/Mar/18 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | auth, libmongoc |
| Affects Version/s: | 1.8.0 |
| Fix Version/s: | 1.10.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | A. Jesse Jiryu Davis | Assignee: | A. Jesse Jiryu Davis |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Description |
|
Several paths through _mongoc_cluster_auth_node_cyrus result in mongoc_cmd_parts_cleanup twice on the same mongoc_cmd_parts_t struct. Introduced in: https://github.com/mongodb/mongo-c-driver/commit/04127a0dab4683fcd27872dfcde0314bd76f8ea5 |
| Comments |
| Comment by Githook User [ 12/Mar/18 ] |
|
Author: {'email': 'jesse@mongodb.com', 'name': 'A. Jesse Jiryu Davis', 'username': 'ajdavis'}Message: |
| Comment by A. Jesse Jiryu Davis [ 07/Mar/18 ] |
|
Doesn't crash, so long as the bson_t's in the mongoc_cmd_parts_t struct haven't spilled to heap. Calling bson_destroy() twice on these bson_t's does nothing. But if they ever did spill to heap, for example if a read preference or some other configuration exceeds 120 bytes, then Kerberos authentication would cause a crash. Caught via the BSON_MEMCHECK flag. |