[CDRIVER-2533] Double free in Kerberos auth logic Created: 07/Mar/18  Updated: 28/Oct/23  Resolved: 12/Mar/18

Status: Closed
Project: C Driver
Component/s: auth, libmongoc
Affects Version/s: 1.8.0
Fix Version/s: 1.10.0

Type: Bug Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: A. Jesse Jiryu Davis
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-2535 GSSAPI / Kerberos auth tests aren't r... Closed

 Description   

Several paths through _mongoc_cluster_auth_node_cyrus result in mongoc_cmd_parts_cleanup twice on the same mongoc_cmd_parts_t struct.

Introduced in:

https://github.com/mongodb/mongo-c-driver/commit/04127a0dab4683fcd27872dfcde0314bd76f8ea5



 Comments   
Comment by Githook User [ 12/Mar/18 ]

Author:

{'email': 'jesse@mongodb.com', 'name': 'A. Jesse Jiryu Davis', 'username': 'ajdavis'}

Message: CDRIVER-2533 double free in cyrus sasl code
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/e948f1ac40cadf42404d75f9eb188dbe47d6f4e5

Comment by A. Jesse Jiryu Davis [ 07/Mar/18 ]

Doesn't crash, so long as the bson_t's in the mongoc_cmd_parts_t struct haven't spilled to heap. Calling bson_destroy() twice on these bson_t's does nothing. But if they ever did spill to heap, for example if a read preference or some other configuration exceeds 120 bytes, then Kerberos authentication would cause a crash. Caught via the BSON_MEMCHECK flag.

Generated at Wed Feb 07 21:15:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.