[
https://issues.apache.org/jira/browse/ZOOKEEPER-2890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16153535#comment-16153535
]
ASF GitHub Bot commented on ZOOKEEPER-2890:
-------------------------------------------
GitHub user xoiss opened a pull request:
https://github.com/apache/zookeeper/pull/359
branch-3.4 -- bugfix -- ZOOKEEPER-2890
Fixes https://issues.apache.org/jira/browse/ZOOKEEPER-2890
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/xoiss/zookeeper
branch-3.4-bugfix-zookeeper-2890
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/359.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #359
----
commit 2dc3664e52a0f1ae82c5c4fdc800921548bfc087
Author: xoiss <xoiss@ubuntu>
Date: 2017-09-05T11:28:36Z
ZOOKEEPER-2890 - fix freing by uninitialized address.
----
> Local automatic variable is left uninitialized and then freed.
> --------------------------------------------------------------
>
> Key: ZOOKEEPER-2890
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2890
> Project: ZooKeeper
> Issue Type: Bug
> Components: c client
> Affects Versions: 3.4.10
> Environment: Linux ubuntu 4.4.0-87-generic
> gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
> https://github.com/apache/zookeeper.git
> branch-3.4
> Reporter: Alexander A. Strelets
> Priority: Critical
> Labels: easyfix
> Fix For: 3.4.10
>
>
> Function *_deserialize_response()_*, in _case COMPLETION_STRING_, uses local
> automatic variable *_struct CreateResponse res_* which is +left
> uninitialized+ and passed to the function _deserialize_GetACLResponse()_ and
> then to _deallocate_GetACLResponse()_.
> The _deserialize_ function, which is called the first, is expected to assign
> the _res_ variable with a value from the parsed _struct iarchive *ia_. But,
> if _ia_ contains for example insufficient amount of bytes the
> _deserialize_String()_ function refuses of assigning a value to _res_, and
> _res_ stays uninitialized (the true case is described below). Then, the
> _deallocate_ function calls _deallocate_String()_ passing uninitialized _res_
> with arguments. If incidentally the memory region in the program stack under
> the _res_ was not equal to NULL, the last call +leads to _free()_ by invalid
> address+.
> The true case: this happens when an active _multi_ request with _create_
> sub-request is completed on call to _zookeeper_close()_ with the so called
> "Fake response" which is fabricated by the function _free_completions()_.
> Such response includes only the header but +zero bytes for the body+. The
> significant condition is that the _create_ request is not a stand-alone one,
> but namely a sub-request within the _multi_ request. In this case the
> _deserialize_response()_ is called recursively (for each sub-request), and
> when it is called for the _create_ subrequest (from the nested
> _deserialize_multi()_) the _failed_ parameter is assigned with false (0), so
> the _if (failed)_ condition branches to the _else_ part. Note that in the
> stand-alone create-request case this does not occur.
> *I suspect this may happen not only due to call to _zookeeper_close()_ but on
> reception of a true multi-response from the server* containing insufficient
> number of bytes (I'm not sure if it can be a proper response from the server
> with an error overall status and empty or insufficient payload).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
