[CDRIVER-740] Use-after-free if a primary doesn't report itself in hosts lists Created: 13/Jul/15  Updated: 12/Aug/15  Resolved: 17/Jul/15

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: 1.2.0
Fix Version/s: 1.2-beta0

Type: Bug Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: A. Jesse Jiryu Davis
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Bug in unreleased code, in implementation of Server Discovery And Monitoring Spec.

In the hosts_differ_from_seeds test, the driver connects to "a" and finds a primary whose host list is ["b"]. The primary does not include "a" in its own hosts list.

The driver adds "b" to its topology description, then iterates the topology description removing servers missing from the hosts list from "a". When it removes the server description for "a" it calls mongoc_server_description_cleanup, which frees the server description for "a", including its hosts list. It then continues iterating the topology description, and checks if "b" is in the hosts list reported by "a".

Thus the driver accesses the hosts list reported by "a" after freeing that list.

So far I've observed either no error from this sequence, or an apparent logic error in "hosts_differ_from_seeds":

Assert Failure: 1 == 0
tests/test-mongoc-sdam.c:150  test_sdam_cb()

A segfault is only a matter of time, however.



 Comments   
Comment by Githook User [ 15/Jul/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-740 use of server description after free

In the hosts_differ_from_seeds test, the driver connects to "a" and finds a
primary that whose host list is ["b"]. The primary does not include "a" in its
own hosts list. The driver adds "b" to its topology description, then iterates
the topology description removing servers missing from the hosts list from "a".

When it removes the server description for "a" it calls
mongoc_server_description_cleanup, which frees the server description for "a",
including its hosts list. It then continues iterating the topology description,
and checks if "b" is in the hosts list reported by "a". Thus the driver
accesses the hosts list reported by "a" after freeing that list.
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/5b59fd47cf72949ea4945973d7a43696120d2169

Generated at Wed Feb 07 21:10:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.