[jira] [Updated] (ZOOKEEPER-4809) do_completion() use-after-free when log level is debug

[fanyang (Jira)]

     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

fanyang updated ZOOKEEPER-4809:
-------------------------------
    Description: 
{code:c}
void *do_completion(void *v)
{
    zhandle_t *zh = v;
    // ...
    api_epilog(zh, 0);  // L1
    LOG_DEBUG(LOGCALLBACK(zh), "completion thread terminated");  // L2
    return 0;
}
{code}

When the log level is debug, L2 gets the log calback after zookeeper_close(), 
causes uaf.

  was:
{code:c}
void *do_completion(void *v)
{
    zhandle_t *zh = v;
    // ...
    api_epilog(zh, 0);                                                          
                              // L1
    LOG_DEBUG(LOGCALLBACK(zh), "completion thread terminated");  // L2
    return 0;
}
{code}

When the log level is debug, L2 gets the log calback after zookeeper_close(), 
causes uaf.


> do_completion() use-after-free when log level is debug
> ------------------------------------------------------
>
>                 Key: ZOOKEEPER-4809
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4809
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: c client
>            Reporter: fanyang
>            Priority: Minor
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> {code:c}
> void *do_completion(void *v)
> {
>     zhandle_t *zh = v;
>     // ...
>     api_epilog(zh, 0);  // L1
>     LOG_DEBUG(LOGCALLBACK(zh), "completion thread terminated");  // L2
>     return 0;
> }
> {code}
> When the log level is debug, L2 gets the log calback after zookeeper_close(), 
> causes uaf.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)