<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:17:44 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-3336] Uninitialised BSON reply when running command on wrong server with pinned session</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-3336</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;While testing the session pinning implementation for the PHP driver, I uncovered a case where we attempt to free an uninitialised BSON reply. This not only affects the PHP driver, but also libmongoc itself if &lt;tt&gt;_mongoc_client_command_with_opts&lt;/tt&gt; ends up being called without a &lt;tt&gt;reply&lt;/tt&gt; object.&lt;/p&gt;

&lt;p&gt;In &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/b37f263e2286ad20c656df1e96fa106377fd7c7a/src/libmongoc/src/mongoc/mongoc-client.c#L1942&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;_mongoc_client_command_with_opts&lt;/tt&gt;&lt;/a&gt;&#160;it is assumed that the reply object is initialised if no &lt;tt&gt;server_stream&lt;/tt&gt; was opened. Later in the function, the reply object is &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/b37f263e2286ad20c656df1e96fa106377fd7c7a/src/libmongoc/src/mongoc/mongoc-client.c#L2001&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;freed&lt;/a&gt; if no &lt;tt&gt;reply&lt;/tt&gt; was passed to the function. If a &lt;tt&gt;reply&lt;/tt&gt; was passed but not initialised, &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/b37f263e2286ad20c656df1e96fa106377fd7c7a/src/libmongoc/src/mongoc/mongoc-client.c#L2004&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;an empty bson object is created&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;However, the assumption that not getting back a &lt;tt&gt;server_stream&lt;/tt&gt; means an initialised reply (see comment in &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/b37f263e2286ad20c656df1e96fa106377fd7c7a/src/libmongoc/src/mongoc/mongoc-client.c#L1941&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;line 1941&lt;/a&gt;) is wrong in one case: passing a &lt;tt&gt;serverId&lt;/tt&gt; in the options along with a session that is pinned to a different server triggers an error condition in &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/b37f263e2286ad20c656df1e96fa106377fd7c7a/src/libmongoc/src/mongoc/mongoc-cluster.c#L1898&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;mongoc_cluster_stream_for_server&lt;/tt&gt;&lt;/a&gt;, which then returns &lt;tt&gt;NULL&lt;/tt&gt;. This leads us to an uninitialised reply which is assumed to be initialised by &lt;tt&gt;_mongoc_client_command_with_opts&lt;/tt&gt;. I believe that &lt;tt&gt;mongoc_cluster_stream_for_server&lt;/tt&gt;&#160;needs a call to &lt;tt&gt;_mongoc_bson_init_if_set (reply)&lt;/tt&gt;&#160;if the server pinning check fails.&lt;/p&gt;

&lt;p&gt;To reproduce this, you need to pin a session to a server, then call &lt;tt&gt;mongoc_client_command_with_opts&lt;/tt&gt; (or any other command function) with the session, as well as a server ID that is different from the one that the session is pinned to. Not passing a reply pointer to the function triggers the bug in libmongoc.&lt;/p&gt;

&lt;p&gt;In the case of the PHP driver, a reply pointer is passed, which &lt;tt&gt;phongo_execute_command&lt;/tt&gt;&#160;&lt;a href=&quot;https://github.com/mongodb/mongo-php-driver/blob/e65d114b405ea0fd3f85eab6ef113d782d90c1fc/php_phongo.c#L1031&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;expects to be initialised&lt;/a&gt; during &lt;tt&gt;_mongoc_client_command_with_opts&lt;/tt&gt; and subsequently &lt;a href=&quot;https://github.com/mongodb/mongo-php-driver/blob/e65d114b405ea0fd3f85eab6ef113d782d90c1fc/php_phongo.c#L1087..L1089&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;frees it&lt;/a&gt;. This is consistent with the documentation:&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;&lt;tt&gt;reply&lt;/tt&gt; is always initialized, and must be freed with &lt;tt&gt;bson_destroy()&lt;/tt&gt;.&lt;/p&gt;&lt;/blockquote&gt;</description>
                <environment></environment>
        <key id="906602">CDRIVER-3336</key>
            <summary>Uninitialised BSON reply when running command on wrong server with pinned session</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="clyde.bazile@mongodb.com">Clyde Bazile III</assignee>
                                    <reporter username="andreas.braun@mongodb.com">Andreas Braun</reporter>
                        <labels>
                    </labels>
                <created>Mon, 26 Aug 2019 13:24:35 +0000</created>
                <updated>Sat, 28 Oct 2023 11:29:08 +0000</updated>
                            <resolved>Wed, 28 Aug 2019 16:14:21 +0000</resolved>
                                                    <fixVersion>1.15.1</fixVersion>
                                    <component>libmongoc</component>
                                        <votes>0</votes>
                                    <watches>1</watches>
                                                                                                                <comments>
                            <comment id="2397960" author="xgen-internal-githook" created="Wed, 28 Aug 2019 16:06:10 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Clyde Bazile&apos;, &apos;username&apos;: &apos;bazile-clyde&apos;, &apos;email&apos;: &apos;bazileclyde@gmail.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3336&quot; title=&quot;Uninitialised BSON reply when running command on wrong server with pinned session&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3336&quot;&gt;&lt;del&gt;CDRIVER-3336&lt;/del&gt;&lt;/a&gt; Uninitialised BSON reply on error&lt;br/&gt;
Branch: r1.15&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/cf50d6315a581a3c96cb43ae46f87c7b762f24e2&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/cf50d6315a581a3c96cb43ae46f87c7b762f24e2&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="2397947" author="xgen-internal-githook" created="Wed, 28 Aug 2019 15:56:56 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Clyde Bazile&apos;, &apos;username&apos;: &apos;bazile-clyde&apos;, &apos;email&apos;: &apos;bazileclyde@gmail.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3336&quot; title=&quot;Uninitialised BSON reply when running command on wrong server with pinned session&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3336&quot;&gt;&lt;del&gt;CDRIVER-3336&lt;/del&gt;&lt;/a&gt; Uninitialised BSON reply on error&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/548f0752509e7679ba7e90b767888ad2891f59d5&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/548f0752509e7679ba7e90b767888ad2891f59d5&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="2387421" author="clyde.bazile" created="Mon, 26 Aug 2019 21:57:50 +0000"  >&lt;p&gt;CR:&#160;&lt;a href=&quot;https://mongodbcr.appspot.com/504600001/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://mongodbcr.appspot.com/504600001/&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                        <issuelink>
            <issuekey id="629372">PHPC-1290</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hvbkz3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>