<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:10:29 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-740] Use-after-free if a primary doesn&apos;t report itself in hosts lists</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-740</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;Bug in unreleased code, in implementation of Server Discovery And Monitoring Spec.&lt;/p&gt;

&lt;p&gt;In the &lt;a href=&quot;https://github.com/mongodb/specifications/blob/master/source/server-discovery-and-monitoring/tests/rs/hosts_differ_from_seeds.yml&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;hosts_differ_from_seeds&lt;/a&gt; test, the driver connects to &quot;a&quot; and finds a primary whose host list is [&quot;b&quot;]. The primary does &lt;b&gt;not&lt;/b&gt; include &quot;a&quot; in its own hosts list.&lt;/p&gt;

&lt;p&gt;The driver adds &quot;b&quot; to its topology description, then iterates the topology description removing servers missing from the hosts list from &quot;a&quot;. When it removes the server description for &quot;a&quot; it calls mongoc_server_description_cleanup, which frees the server description for &quot;a&quot;, including its hosts list. It then continues iterating the topology description, and checks if &quot;b&quot; is in the hosts list reported by &quot;a&quot;.&lt;/p&gt;

&lt;p&gt;Thus the driver accesses the hosts list reported by &quot;a&quot; after freeing that list.&lt;/p&gt;

&lt;p&gt;So far I&apos;ve observed either no error from this sequence, or an apparent logic error in &quot;hosts_differ_from_seeds&quot;:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;Assert Failure: 1 == 0&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;tests/test-mongoc-sdam.c:150  test_sdam_cb()&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;A segfault is only a matter of time, however.&lt;/p&gt;</description>
                <environment></environment>
        <key id="216565">CDRIVER-740</key>
            <summary>Use-after-free if a primary doesn&apos;t report itself in hosts lists</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="jesse@mongodb.com">A. Jesse Jiryu Davis</assignee>
                                    <reporter username="jesse@mongodb.com">A. Jesse Jiryu Davis</reporter>
                        <labels>
                    </labels>
                <created>Mon, 13 Jul 2015 21:26:52 +0000</created>
                <updated>Wed, 12 Aug 2015 12:48:02 +0000</updated>
                            <resolved>Fri, 17 Jul 2015 14:45:22 +0000</resolved>
                                    <version>1.2.0</version>
                                    <fixVersion>1.2-beta0</fixVersion>
                                    <component>libmongoc</component>
                                        <votes>0</votes>
                                    <watches>1</watches>
                                                                                                                <comments>
                            <comment id="967069" author="xgen-internal-githook" created="Wed, 15 Jul 2015 19:28:13 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-740&quot; title=&quot;Use-after-free if a primary doesn&amp;#39;t report itself in hosts lists&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-740&quot;&gt;&lt;del&gt;CDRIVER-740&lt;/del&gt;&lt;/a&gt; use of server description after free&lt;/p&gt;

&lt;p&gt;In the hosts_differ_from_seeds test, the driver connects to &quot;a&quot; and finds a&lt;br/&gt;
primary that whose host list is &lt;span class=&quot;error&quot;&gt;&amp;#91;&amp;quot;b&amp;quot;&amp;#93;&lt;/span&gt;. The primary does not include &quot;a&quot; in its&lt;br/&gt;
own hosts list. The driver adds &quot;b&quot; to its topology description, then iterates&lt;br/&gt;
the topology description removing servers missing from the hosts list from &quot;a&quot;.&lt;/p&gt;

&lt;p&gt;When it removes the server description for &quot;a&quot; it calls&lt;br/&gt;
mongoc_server_description_cleanup, which frees the server description for &quot;a&quot;,&lt;br/&gt;
including its hosts list. It then continues iterating the topology description,&lt;br/&gt;
and checks if &quot;b&quot; is in the hosts list reported by &quot;a&quot;. Thus the driver&lt;br/&gt;
accesses the hosts list reported by &quot;a&quot; after freeing that list.&lt;br/&gt;
Branch: 1.2.0-dev&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/5b59fd47cf72949ea4945973d7a43696120d2169&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/5b59fd47cf72949ea4945973d7a43696120d2169&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsb5hz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="610">C Driver 2015Q2 sprint 4</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>