zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander A. Strelets (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-2890) Local automatic variable is left uninitialized and then freed.
Date Tue, 05 Sep 2017 10:54:00 GMT
Alexander A. Strelets created ZOOKEEPER-2890:
------------------------------------------------

             Summary: Local automatic variable is left uninitialized and then freed.
                 Key: ZOOKEEPER-2890
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2890
             Project: ZooKeeper
          Issue Type: Bug
          Components: c client
    Affects Versions: 3.4.10
         Environment: Linux ubuntu 4.4.0-87-generic
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609

https://github.com/apache/zookeeper.git
branch-3.4
            Reporter: Alexander A. Strelets
            Priority: Critical
             Fix For: 3.4.10


Function *_deserialize_response()_*, in _case COMPLETION_STRING_, uses local automatic variable
*_struct CreateResponse res_* which is +left uninitialized+ and passed to the function _deserialize_GetACLResponse()_
and then to _deallocate_GetACLResponse()_.

The _deserialize_ function, which is called the first, is expected to assign the _res_ variable
with a value from the parsed _struct iarchive *ia_. But, if _ia_ contains for example insufficient
amount of bytes the _deserialize_String()_ function refuses of assigning a value to _res_,
and _res_ stays uninitialized (the true case is described below). Then, the _deallocate_ function
calls _deallocate_String()_ passing uninitialized _res_ with arguments. If incidentally the
memory region in the program stack under the _res_ was not equal to NULL, the last call +leads
to _free()_ for an invalid address+.

The true case: this happens for example when an active _create_ request (or create sub-request
within the _multi_ request) is completed on call to _zookeeper_close()_ with the so called
"Fake response" which is fabricated by the function _free_completions()_. Such response includes
only the header but +zero bytes for the body+.

*I suspect this may happen not only due to call to _zookeeper_close()_ but on reception of
a true response from the server* containing insufficient number of bytes (I'm not sure if
it can be a proper response from the server with an error status and empty payload).

Also *I suspect the same case will take place with different requests, but not only the _create_*.
Indeed, almost all cases in the _deserialize_response()_ shall be verified as soon as they
also use uninitialized _res_-s and _deallocate_ them. Still I have not checked others except
the _create_ request with _COMPLETION_STRING_ response.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message