youlong chen created ZOOKEEPER-4999:
---------------------------------------
Summary: Error Path Leaks in Async Commands
Key: ZOOKEEPER-4999
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4999
Project: ZooKeeper
Issue Type: Bug
Components: c client
Affects Versions: 3.9.4
Reporter: youlong chen
I am reporting a meemory leak issue in Apache ZooKeeper’s C client (`cli_mt`)
In {{{}src/cli.c{}}}, many commands use the pattern:
{{rc = zoo_aget(zh, line, 1, my_data_completion, strdup(line));}}
The {{strdup(line)}} is passed as the {{data}} context to the callback. The
callback is responsible for freeing it. However, if {{zoo_aget}} (or other
async functions) returns an error immediately (e.g., {{ZBADARGUMENTS}} due to
invalid path, or {{{}ZINVALIDSTATE{}}}), the callback is never scheduled, and
the {{strdup(line)}} result is leaked.
h3. Location
Multiple locations in {{src/cli.c}} inside {{processline}} function, affecting
commands: {{{}get{}}}, {{{}ls{}}}, {{{}create{}}}, {{{}delete{}}}, {{{}set{}}},
{{{}stat{}}}, {{{}sync{}}}, {{{}addWatch{}}}.
h3. Impact
If a user (or attacker) sends many invalid commands (e.g., paths not starting
with {{/}} if the check was missing, or if the connection is in a bad state),
memory will leak. Note: {{cli.c}} checks for leading {{/}} for most commands,
but {{zoo_aget}} can still fail for other reasons (e.g. {{zh}} is NULL or
closed).
h3. Fix
Check the return code of the async function. If it indicates failure, free the
allocated string.
{{char *ctx = strdup(line);
rc = zoo_aget(zh, line, 1, my_data_completion, ctx);
if (rc) \{
free(ctx);
fprintf(stderr, "Error %d for %s\n", rc, line);
}}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
