[
https://issues.apache.org/jira/browse/THRIFT-2490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13976498#comment-13976498
]
Jaesang Kim commented on THRIFT-2490:
-------------------------------------
in recv function, there is a routine for read a exception from server.
if fail to read a exception, unreferencing the object but do not set pointer to
NULL.
so, in this situation client corrupt by bad pointer error.
{code}
gboolean t_h_base_service_client_recv_get (THBaseServiceIf * iface, TResult **
_return, TIOError ** io, GError ** error)
...
case 1:
if (ftype == T_STRUCT)
{
/* This struct is an exception */
if ( *io != NULL)
{
g_object_unref (*io);
}
*io = g_object_new (TYPE_T_I_O_ERROR, NULL);
if ((ret = thrift_struct_read (THRIFT_STRUCT (*io), protocol,
error)) < 0)
{
g_object_unref (*io); // <-- need to set io
pointer to NULL
return 0;
}
xfer += ret;
} else {
if ((ret = thrift_protocol_skip (protocol, ftype, error)) < 0)
return 0;
xfer += ret;
}
break;
...
}
{code}
In client code:
{code}
if (!t_h_base_service_client_get(if, &return, &io, &error)) {
...
if (io) {
// IO MAY BE BAD POINTER.
}
...
}
{code}
> if fail to read a exception from server, client may be occurred double free
> ----------------------------------------------------------------------------
>
> Key: THRIFT-2490
> URL: https://issues.apache.org/jira/browse/THRIFT-2490
> Project: Thrift
> Issue Type: Bug
> Components: C glib - Compiler
> Affects Versions: 0.9.1
> Environment: linux
> Reporter: Jaesang Kim
>
> if fail to read a exception from server, client may be occurred double free.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
