Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
3.4.14, 3.5.6
-
None
-
None
Description
zoo_amulti only initializes request objects if rc == ZOK, but it unconditionally calls free_duplicate_path. For example:
case ZOO_CHECK_OP: { struct CheckVersionRequest req; rc = rc < 0 ? rc : CheckVersionRequest_init(zh, &req, op->check_op.path, op->check_op.version); rc = rc < 0 ? rc : serialize_CheckVersionRequest(oa, "req", &req); enter_critical(zh); entry = create_completion_entry(zh, h.xid, COMPLETION_VOID, op_result_void_completion, result, 0, 0); leave_critical(zh); free_duplicate_path(req.path, op->check_op.path); break; }
This means that if there is a marshalling error in one operation, for all the later operations, the request will be initialized, the value of req.path will be undefined, and free_duplicate_path may attempt to free an invalid pointer.