Cyl created ZOOKEEPER-5005:
------------------------------
Summary: Memory Leak in reconfig command
Key: ZOOKEEPER-5005
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5005
Project: ZooKeeper
Issue Type: Bug
Components: c client
Affects Versions: 3.9.4
Reporter: Cyl
Attachments: memory_leak_poc.py
{*}Description{*}: In {{{}zookeeper-client/zookeeper-client-c/src/cli.c{}}},
the function {{processline}} has a memory leak when handling the {{reconfig}}
command.
{code:java}
} else if (strncmp(line, "reconfig", 8) == 0) {
char *joining = NULL, *leaving = NULL, *members = NULL;
int64_t version = -1;
int syntaxError = 0;
char *p;
p = strtok (strdup(line)," "); // <--- LEAK: strdup allocates
memory, pointer is lost {code}
The {{strdup(line)}} creates a copy of the input line. {{strtok}} returns a
pointer to the first token in this copy. The original pointer returned by
{{strdup}} is not stored, so it cannot be freed.
*Impact* Every time the {{reconfig}} command is parsed (even if arguments are
invalid), the full command line string is leaked. An attacker can send many
{{reconfig}} commands with long arguments to exhaust memory.
*Reproduction* The PoC script {{memory_leak_poc.py}} sends 20,000 {{reconfig}}
commands with ~3KB payload each. Result: Memory usage increases from ~4MB to
~50MB.
*Fix* Store the pointer returned by {{strdup}} and free it after parsing is
complete.
{code:java}
char *line_dup = strdup(line);
p = strtok (line_dup, " ");
// ... use p ...
free(line_dup); {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
