[CDRIVER-880] mongoc_collection_aggregate might return a destroyed cursor Created: 24/Sep/15 Updated: 19/Oct/16 Resolved: 01/Oct/15 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | libmongoc |
| Affects Version/s: | 1.2-beta1 |
| Fix Version/s: | 1.2-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Yuval Hager | Assignee: | Kyle Suarez |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Description |
|
mongoc_collection_aggregate has a check for cursor validity, and if it fails, calls mongoc_cursor_destroy (around line 300 in mongoc-collection.c. This code can be reached in situations when the mongodb server misbehaves, returns an invalid cursor, has a memory issue, or just crashes. The destroyed cursor is then returned to the caller, which usually quickly identifies it is invalid, and calls mongoc_cursor_destroy, which leads to a double-free crash. The example code given in http://api.mongodb.org/c/current/aggregate.html will crash if this occurs. It looks like this was working before by creating a dummy cursor, but this code was removed in commit 346349d8d1e721e782d (as part of |
| Comments |
| Comment by Yuval Hager [ 04/Oct/15 ] |
|
Awesome! Thanks guys! |
| Comment by Kyle Suarez [ 01/Oct/15 ] |
|
Thanks again yhager for catching this! The fix has been released in 1.2.0-rc0: https://github.com/mongodb/mongo-c-driver/releases/tag/1.2.0-rc0 |
| Comment by Githook User [ 01/Oct/15 ] |
|
Author: {u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@10gen.com'}Message: Merge pull request #278 from ksuarz/
|
| Comment by Githook User [ 01/Oct/15 ] |
|
Author: {u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@10gen.com'}Message: Merge pull request #278 from ksuarz/
|
| Comment by Githook User [ 01/Oct/15 ] |
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'ksuarz@gmail.com'}Message: We require the side effects of the function but ignore its return value. |
| Comment by Githook User [ 01/Oct/15 ] |
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'ksuarz@gmail.com'}Message: |
| Comment by Githook User [ 01/Oct/15 ] |
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'ksuarz@gmail.com'}Message: |
| Comment by Githook User [ 01/Oct/15 ] |
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'ksuarz@gmail.com'}Message: |
| Comment by A. Jesse Jiryu Davis [ 24/Sep/15 ] |
|
Thanks for the report! Seems easy to reproduce given the mock_server_t I've added to the test framework and your detailed explanation. We'll plan to fix this before the 1.2.0 release candidate next week. |