Double clean up leads to accessing invalid memory

Bug #1126601 reported by Martin C. Martin
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libmemcached
Fix Released
Medium
Brian Aker

Bug Description

From get.cc around line 560:

        if (memcached_io_write(instance) == false)
        {
          memcached_instance_response_reset(instance);
          memcached_io_reset(instance);
          rc= MEMCACHED_SOME_ERRORS;
        }

        if (memcached_io_write(instance, request.bytes,
                               sizeof(request.bytes), true) == -1)
        {
          memcached_instance_response_reset(instance);
          memcached_io_reset(instance);
          rc= MEMCACHED_SOME_ERRORS;
        }

If both memcached_io_writes fail, we call the reset functions twice, and the second resets result in invalid accesses, according to valgrind. I think we even got a crash later.

Related branches

Revision history for this message
Martin C. Martin (martin-b69y0hv8h) wrote :

BTW, suggested fix is to add an "else" before the second "if".

Brian Aker (brianaker)
Changed in libmemcached:
milestone: none → 1.0.17
assignee: nobody → Brian Aker (brianaker)
importance: Undecided → Medium
status: New → In Progress
Brian Aker (brianaker)
Changed in libmemcached:
status: In Progress → Fix Committed
Brian Aker (brianaker)
Changed in libmemcached:
status: Fix Committed → Fix Released
Revision history for this message
Hassan El Jacifi (waver) wrote :

Hi Folks,

Can we also have the same fix on precise libmemcached6 -> 0.44-1.1build1 ?

Thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers