Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.18.0
-
None
Description
qdr_subscribe_CT incorrectly frees the subscription passed in if the action is being dicarded.
However qdr_subscribe_CT does not own the subscription - a pointer to the subscription is held by the caller to qdr_core_subscribe(). The caller will free it.
2022-01-26T20:38:30.4511421Z 75: ==3807==ERROR: AddressSanitizer: attempting double-free on 0x60600000b0c0 in thread T3:
2022-01-26T20:38:30.5203414Z 75: #0 0x7f1b8b5a3627 in free (/lib64/libasan.so.6+0xae627)
2022-01-26T20:38:30.5211345Z 75: #1 0x879ff3 in qdr_agent_free /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/agent.c:153
2022-01-26T20:38:30.5229424Z 75: #2 0x92fb3d in qdr_core_free /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core.c:329
2022-01-26T20:38:30.5243461Z 75: #3 0x99f01d in qd_router_free /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_node.c:2179
2022-01-26T20:38:30.5249436Z 75: #4 0x7fccf2 in qd_dispatch_free /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/dispatch.c:374
2022-01-26T20:38:30.5752354Z 75: #5 0x5cefb2 in QDR::deinitialize(bool) const /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/tests/c_unittests/./helpers.hp\
p:265
2022-01-26T20:38:30.5753828Z 75: #6 0x5ab4c5 in check_amqp_listener_startup_log_message(qd_server_config_t, std::__cxx11::basic_string<char, std::char_traits<char>, std\
::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/tests/c_un\
ittests/test_listener_startup.cpp:58
2022-01-26T20:38:30.5755448Z 75: #7 0x5ae797 in operator() /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/tests/c_unittests/test_listener_startup.cpp:129
2022-01-26T20:38:30.5757874Z 75: #8 0x7f1b8ab7f5c3 in execute_native_thread_routine (/lib64/libstdc++.so.6+0xd95c3)
2022-01-26T20:38:30.5758403Z 75: #9 0x7f1b89ec2a86 in start_thread (/lib64/libc.so.6+0x8da86)
2022-01-26T20:38:30.5758836Z 75: #10 0x7f1b89f468d3 in _GI__clone (/lib64/libc.so.6+0x1118d3)
2022-01-26T20:38:30.5759199Z 75:
2022-01-26T20:38:30.5759801Z 75: 0x60600000b0c0 is located 0 bytes inside of 56-byte region [0x60600000b0c0,0x60600000b0f8)
2022-01-26T20:38:30.5760226Z 75: freed by thread T4 here:
2022-01-26T20:38:30.5760605Z 75: #0 0x7f1b8b5a3627 in free (/lib64/libasan.so.6+0xae627)
2022-01-26T20:38:30.5767193Z 75: #1 0x9377b7 in qdr_subscribe_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/route_tables.c:675
2022-01-26T20:38:30.5771793Z 75: #2 0x934a37 in router_core_thread /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core_thread.c:236
2022-01-26T20:38:30.5774021Z 75: #3 0x7f1b89ec2a86 in start_thread (/lib64/libc.so.6+0x8da86)
2022-01-26T20:38:30.5774306Z 75:
2022-01-26T20:38:30.5774559Z 75: previously allocated by thread T3 here:
2022-01-26T20:38:30.5776278Z 75: #0 0x7f1b8b5a391f in __interceptor_malloc (/lib64/libasan.so.6+0xae91f)
2022-01-26T20:38:30.5777116Z 75: #1 0x93d83d in qd_malloc /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/include/qpid/dispatch/ctools.h:234
2022-01-26T20:38:30.5777838Z 75: #2 0x93d83d in qdr_core_subscribe /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/route_tables.c:147
2022-01-26T20:38:30.5780283Z 75: #3 0x87a159 in qdr_agent_setup_subscriptions /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/agent.c:168
2022-01-26T20:38:30.5781122Z 75: #4 0x91a956 in qdr_core /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core.c:129
2022-01-26T20:38:30.5781939Z 75: #5 0x99eb72 in qd_router_setup_late /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_node.c:2142
2022-01-26T20:38:30.5782488Z 75: #6 0x7f1b85d0cc03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)
2022-01-26T20:38:30.5798156Z 75: #7 0x7f1b856fc98f (<unknown module>)