[SERVER-50180] Fix User lifetime management in AuthorizationManager::acquireUserForSessionRefresh Created: 07/Aug/20  Updated: 29/Oct/23  Resolved: 17/Aug/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 3.6.20, 4.0.21

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v3.6
Sprint: Security 2020-08-24
Participants:
Linked BF Score: 15

 Description   

In 3.6 and 4.0, a User object may be leaked in AuthorizationManager::acquireUserForSessionRefresh if an error condition block is taken.

The User object's ref count must be decremented in this error block.

The affected code is only in 3.6 and 4.0. It was rewritten in 4.2.



 Comments   
Comment by Githook User [ 19/Aug/20 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-50180 Fix User lifetime management in AuthorizationManager::acquireUserForSessionRefresh

(cherry picked from commit 0a1b7e768ca29e2cb232c1af70beb55485fc96cb)
Branch: v3.6
https://github.com/mongodb/mongo/commit/d8c7c2c514fb8a44b7b2a731105582b66ed7b253

Comment by Githook User [ 17/Aug/20 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-50180 Fix User lifetime management in AuthorizationManager::acquireUserForSessionRefresh
Branch: v4.0
https://github.com/mongodb/mongo/commit/0a1b7e768ca29e2cb232c1af70beb55485fc96cb

Generated at Thu Feb 08 05:21:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.