Details
Major Description
If a SOAP 1.1 server returns a SOAP fault, a seg fault can happen if the client calls axiom_soap_fault_get_text. At the time of the crash, using the debugger the om_ele_node in the fault_value points to memory that has been reused, probably as a result of being released. When axiom_element_get_text is called, the data_element it is passed appears to be overwritten or reused, so axiom_element_get_text sees om_element->text_value as nonzero, tries to free it, and the C runtime diagnoses a memory management error on the free.
Stepping through with the debugger, the crux of the problem lies in soap_body.c, where axiom_soap_body_convert_fault_to_soap11 detaches the fault_value_node, converts its contents to text, issues the free_tree to free the node and its children, but leaves the pointer as the axiom_soap_fault_value_base_node. So the later call to axiom_soap_fault_get_text believes there is still a node tree structure present. The same oversight occurs when processing the fault_reason. The axiom_soap_fault_text_base_node is detached, converted to a single text string, the node tree is freed, but the pointer is left as the axiom_soap_fault_base_node.