[
https://issues.apache.org/jira/browse/ZOOKEEPER-4999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cyl updated ZOOKEEPER-4999:
---------------------------
Attachment: memory_leak_async_poc.py
> Error Path Leaks in Async Commands
> ----------------------------------
>
> Key: ZOOKEEPER-4999
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4999
> Project: ZooKeeper
> Issue Type: Bug
> Components: c client
> Affects Versions: 3.9.4
> Reporter: Cyl
> Priority: Major
> Attachments: memory_leak_async_poc.py
>
>
> I am reporting a meemory leak issue in Apache ZooKeeper’s C client (`cli_mt`)
>
> In {{{}src/cli.c{}}}, many commands use the pattern:
>
> {{rc = zoo_aget(zh, line, 1, my_data_completion, strdup(line));}}
> The {{strdup(line)}} is passed as the {{data}} context to the callback. The
> callback is responsible for freeing it. However, if {{zoo_aget}} (or other
> async functions) returns an error immediately (e.g., {{ZBADARGUMENTS}} due to
> invalid path, or {{{}ZINVALIDSTATE{}}}), the callback is never scheduled, and
> the {{strdup(line)}} result is leaked.
> h3. Location
> Multiple locations in {{src/cli.c}} inside {{processline}} function,
> affecting commands: {{{}get{}}}, {{{}ls{}}}, {{{}create{}}}, {{{}delete{}}},
> {{{}set{}}}, {{{}stat{}}}, {{{}sync{}}}, {{{}addWatch{}}}.
> h3. Impact
> If a user (or attacker) sends many invalid commands (e.g., paths not starting
> with {{/}} if the check was missing, or if the connection is in a bad state),
> memory will leak. Note: {{cli.c}} checks for leading {{/}} for most commands,
> but {{zoo_aget}} can still fail for other reasons (e.g. {{zh}} is NULL or
> closed).
> h3. Fix
> Check the return code of the async function. If it indicates failure, free
> the allocated string.
>
> {{char *ctx = strdup(line);
> rc = zoo_aget(zh, line, 1, my_data_completion, ctx);
> if (rc) \{
> free(ctx);
> fprintf(stderr, "Error %d for %s\n", rc, line);
> }}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
