Double clean up leads to accessing invalid memory

Bug #1126601 reported by Martin C. Martin on 2013-02-15
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libmemcached
Medium
Brian Aker

Bug Description

From get.cc around line 560:

        if (memcached_io_write(instance) == false)
        {
          memcached_instance_response_reset(instance);
          memcached_io_reset(instance);
          rc= MEMCACHED_SOME_ERRORS;
        }

        if (memcached_io_write(instance, request.bytes,
                               sizeof(request.bytes), true) == -1)
        {
          memcached_instance_response_reset(instance);
          memcached_io_reset(instance);
          rc= MEMCACHED_SOME_ERRORS;
        }

If both memcached_io_writes fail, we call the reset functions twice, and the second resets result in invalid accesses, according to valgrind. I think we even got a crash later.

Related branches

BTW, suggested fix is to add an "else" before the second "if".

Brian Aker (brianaker) on 2013-02-15
Changed in libmemcached:
milestone: none → 1.0.17
assignee: nobody → Brian Aker (brianaker)
importance: Undecided → Medium
status: New → In Progress
Brian Aker (brianaker) on 2013-02-22
Changed in libmemcached:
status: In Progress → Fix Committed
Brian Aker (brianaker) on 2013-04-03
Changed in libmemcached:
status: Fix Committed → Fix Released
Hassan El Jacifi (waver) wrote :

Hi Folks,

Can we also have the same fix on precise libmemcached6 -> 0.44-1.1build1 ?

Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers