[CDRIVER-740] Use-after-free if a primary doesn't report itself in hosts lists Created: 13/Jul/15 Updated: 12/Aug/15 Resolved: 17/Jul/15 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | libmongoc |
| Affects Version/s: | 1.2.0 |
| Fix Version/s: | 1.2-beta0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | A. Jesse Jiryu Davis | Assignee: | A. Jesse Jiryu Davis |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Bug in unreleased code, in implementation of Server Discovery And Monitoring Spec. In the hosts_differ_from_seeds test, the driver connects to "a" and finds a primary whose host list is ["b"]. The primary does not include "a" in its own hosts list. The driver adds "b" to its topology description, then iterates the topology description removing servers missing from the hosts list from "a". When it removes the server description for "a" it calls mongoc_server_description_cleanup, which frees the server description for "a", including its hosts list. It then continues iterating the topology description, and checks if "b" is in the hosts list reported by "a". Thus the driver accesses the hosts list reported by "a" after freeing that list. So far I've observed either no error from this sequence, or an apparent logic error in "hosts_differ_from_seeds":
A segfault is only a matter of time, however. |
| Comments |
| Comment by Githook User [ 15/Jul/15 ] |
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: In the hosts_differ_from_seeds test, the driver connects to "a" and finds a When it removes the server description for "a" it calls |