Fix two memory safety issues. #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
September 14, 2016 10:48
… avoiding use after free.
|
Thanks for the PR @cstorey! I actually thought This looks good on all points, merging. |
|
Uploaded 0.2.1 with this fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've got an application which happens to re-size the allocate lmdb mapping by closing and re-opening the database, as that happens to be easier than ensuring the DB is quiescent first in this case.
I ended up finding that my program would segmentation fault when beginning transactions, or whilst the runtime was cleaning up an exited thread. Using valgrind, I tracked down two issues:
in
Database::open, we allocate anOption<CString>to hold the database name. However,Option::mapconsumes it's value, so any containedCStringis dropped after the call toCString::as_ptr, but before we pass it tomdb_dbi_open. So we have an effective use-after-free.I'd found that a
MDB_txnwas getting freed twice inside ofmdb_txn_abort, and then inmdb_env_close. It turns out that an earlier call tomdb_txn_comitwas failing, so the transaction had been marked as finished, but the use of thelmdb_call!macro meant we didn't zero out theTxHandlecontent. So, we ended up callingmdb_txn_aborton an already finalized handle. Then, because of the state of the transaction flags, we ended up freeing the memory that was referenced by the environment, as it'sme_txn0member.Anyway, I hope this helps, and thanks for the library!