[jira] [Assigned] (ZOOKEEPER-4809) do_completion() use-after-free when log level is debug

[Kezhu Wang (Jira)]

     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kezhu Wang reassigned ZOOKEEPER-4809:
-------------------------------------

    Assignee: fanyang

> do_completion() use-after-free when log level is debug
> ------------------------------------------------------
>
>                 Key: ZOOKEEPER-4809
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4809
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: c client
>    Affects Versions: 3.7.2, 3.8.4, 3.9.2
>            Reporter: fanyang
>            Assignee: fanyang
>            Priority: Minor
>              Labels: pull-request-available
>             Fix For: 3.10.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> {code:c}
> void *do_completion(void *v)
> {
>     zhandle_t *zh = v;
>     // ...
>     api_epilog(zh, 0);  // L1
>     LOG_DEBUG(LOGCALLBACK(zh), "completion thread terminated");  // L2
>     return 0;
> }
> {code}
> When the log level is debug, L2 gets the log calback after zookeeper_close(), 
> causes uaf.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)