[SERVER-7801] Potential access to freed memory by Tool::conn() Created: 29/Nov/12  Updated: 23/Feb/17  Resolved: 23/Feb/17

Status: Closed
Project: Core Server
Component/s: Tools
Affects Version/s: 2.3.1
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Randolph Tan Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-6989 mongodump segfaults when host is pass... Closed
Related
is related to TOOLS-160 Audit tools for correct replica set u... Closed
Participants:

 Description   

Code in question:

    DBClientBase& Tool::conn( bool slaveIfPaired ) {
        if ( slaveIfPaired && _conn->type() == ConnectionString::SET ) {
            if (!_slaveConn) {
                DBClientReplicaSet* rs = static_cast<DBClientReplicaSet*>(_conn);
                _slaveConn = &rs->slaveConn();
            }
            return *_slaveConn;
        }
        return *_conn;
    }

This method caches _slaveConn from a raw pointer obtained from DBClientReplicaSet::slaveConn. This is very dangerous since DBClientReplicaSet owns the pointer and can decide to free it any time (for example, when secondary was promoted to become a primary, or the read preference/slaveOk setting was different from the last query/command).

The quick and dirty fix is to never cache slaveConn, ever. The more ideal fix is to not return the raw connection but to instead use the slaveOk bit to perform operations on the secondaries via the DBClientReplicaSet connection object.

P.S. We should probably also fix this line:

conn("true").simpleCommand("admin", &isdbgrid, "isdbgrid");


Generated at Thu Feb 08 03:15:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.