[ https://issues.apache.org/jira/browse/THRIFT-2490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13976498#comment-13976498 ]
Jaesang Kim edited comment on THRIFT-2490 at 4/22/14 7:41 AM: -------------------------------------------------------------- in recv function, there is a routine for read a exception from server. if fail to read a exception, unreferencing the object but do not set pointer to NULL. so, in this situation client corrupt by bad pointer error. {code} gboolean t_h_base_service_client_recv_get (THBaseServiceIf * iface, TResult ** _return, TIOError ** io, GError ** error) { ... case 1: if (ftype == T_STRUCT) { /* This struct is an exception */ if ( *io != NULL) { g_object_unref (*io); } *io = g_object_new (TYPE_T_I_O_ERROR, NULL); if ((ret = thrift_struct_read (THRIFT_STRUCT (*io), protocol, error)) < 0) { g_object_unref (*io); // <-- need to set io pointer to NULL return 0; } xfer += ret; } else { if ((ret = thrift_protocol_skip (protocol, ftype, error)) < 0) return 0; xfer += ret; } break; ... } {code} In client code: {code} if (!t_h_base_service_client_get(if, &return, &io, &error)) { ... if (io) { // MAY BE BAD POINTER. } ... } {code} was (Author: hsleep): in recv function, there is a routine for read a exception from server. if fail to read a exception, unreferencing the object but do not set pointer to NULL. so, in this situation client corrupt by bad pointer error. {code} gboolean t_h_base_service_client_recv_get (THBaseServiceIf * iface, TResult ** _return, TIOError ** io, GError ** error) { ... case 1: if (ftype == T_STRUCT) { /* This struct is an exception */ if ( *io != NULL) { g_object_unref (*io); } *io = g_object_new (TYPE_T_I_O_ERROR, NULL); if ((ret = thrift_struct_read (THRIFT_STRUCT (*io), protocol, error)) < 0) { g_object_unref (*io); // <-- need to set io pointer to NULL return 0; } xfer += ret; } else { if ((ret = thrift_protocol_skip (protocol, ftype, error)) < 0) return 0; xfer += ret; } break; ... } {code} In client code: {code} if (!t_h_base_service_client_get(if, &return, &io, &error)) { ... if (io) { // IO MAY BE BAD POINTER. } ... } {code} > if fail to read a exception from server, client may be occurred double free > ---------------------------------------------------------------------------- > > Key: THRIFT-2490 > URL: https://issues.apache.org/jira/browse/THRIFT-2490 > Project: Thrift > Issue Type: Bug > Components: C glib - Compiler > Affects Versions: 0.9.1 > Environment: linux > Reporter: Jaesang Kim > > if fail to read a exception from server, client may be occurred double free. -- This message was sent by Atlassian JIRA (v6.2#6252)