Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0A291200D16 for ; Tue, 10 Oct 2017 20:52:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 0398A160BE0; Tue, 10 Oct 2017 18:52:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 49B7E1609CB for ; Tue, 10 Oct 2017 20:52:05 +0200 (CEST) Received: (qmail 31562 invoked by uid 500); 10 Oct 2017 18:52:04 -0000 Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list dev@zookeeper.apache.org Received: (qmail 31549 invoked by uid 99); 10 Oct 2017 18:52:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Oct 2017 18:52:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 783B11841CD for ; Tue, 10 Oct 2017 18:52:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id ezfW1FF8SY5O for ; Tue, 10 Oct 2017 18:52:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 5D3CA5FDDC for ; Tue, 10 Oct 2017 18:52:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id A07C9E0295 for ; Tue, 10 Oct 2017 18:52:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 647F624386 for ; Tue, 10 Oct 2017 18:52:00 +0000 (UTC) Date: Tue, 10 Oct 2017 18:52:00 +0000 (UTC) From: "Patrick Hunt (JIRA)" To: dev@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (ZOOKEEPER-2890) Local automatic variable is left uninitialized and then freed. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 10 Oct 2017 18:52:06 -0000 [ https://issues.apache.org/jira/browse/ZOOKEEPER-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Patrick Hunt resolved ZOOKEEPER-2890. ------------------------------------- Resolution: Fixed Issue resolved by pull request 359 [https://github.com/apache/zookeeper/pull/359] > Local automatic variable is left uninitialized and then freed. > -------------------------------------------------------------- > > Key: ZOOKEEPER-2890 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2890 > Project: ZooKeeper > Issue Type: Bug > Components: c client > Affects Versions: 3.4.10, 3.5.3, 3.6.0 > Environment: Linux ubuntu 4.4.0-87-generic > gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609 > https://github.com/apache/zookeeper.git > branch-3.4 > Reporter: Alexander A. Strelets > Priority: Critical > Labels: easyfix > Fix For: 3.4.11, 3.6.0, 3.5.4 > > > ZooKeeper C Client *+single thread+* build > Function *_deserialize_response()_*, in _case COMPLETION_STRING_, uses local automatic variable *_struct CreateResponse res_* which is +left uninitialized+ and passed to the function _deserialize_GetACLResponse()_ and then to _deallocate_GetACLResponse()_. > The _deserialize_ function, which is called the first, is expected to assign the _res_ variable with a value from the parsed _struct iarchive *ia_. But, if _ia_ contains for example insufficient amount of bytes the _deserialize_String()_ function refuses of assigning a value to _res_, and _res_ stays uninitialized (the true case is described below). Then, the _deallocate_ function calls _deallocate_String()_ passing uninitialized _res_ with arguments. If incidentally the memory region in the program stack under the _res_ was not equal to NULL, the last call +leads to _free()_ by invalid address+. > The true case: this happens when an active _multi_ request with _create_ sub-request is completed on call to _zookeeper_close()_ with the so called "Fake response" which is fabricated by the function _free_completions()_. Such response includes only the header but +zero bytes for the body+. The significant condition is that the _create_ request is not a stand-alone one, but namely a sub-request within the _multi_ request. In this case the _deserialize_response()_ is called recursively (for each sub-request), and when it is called for the _create_ subrequest (from the nested _deserialize_multi()_) the _failed_ parameter is assigned with false (0), so the _if (failed)_ condition branches to the _else_ part. Note that in the stand-alone create-request case this does not occur. > *I suspect this may happen not only due to call to _zookeeper_close()_ but on reception of a true multi-response from the server* containing insufficient number of bytes (I'm not sure if it can be a proper response from the server with an error overall status and empty or insufficient payload). > This is a proposed fix: https://github.com/apache/zookeeper/pull/359 -- This message was sent by Atlassian JIRA (v6.4.14#64029)