Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

src/amqp_definitions.c, src/cbs.c exist memory double-free issues #403

Open
kydahe opened this issue Aug 16, 2021 · 0 comments
Open

src/amqp_definitions.c, src/cbs.c exist memory double-free issues #403

kydahe opened this issue Aug 16, 2021 · 0 comments

Comments

@kydahe
Copy link

kydahe commented Aug 16, 2021
edited
Loading

src/amqp_definitions.c and src/cbs.c exist memory double-free issues that free a memory which is already freed.

  1. src/amqp_definitions.c
    In sasl_mechanisms_get_sasl_server_mechanisms function, the second parameter "sasl_server_mechanisms_value" memory could be freed by amqpvalue_destroy() in Line 10420, 10427, 10435 and then was freed again in the end of function (Line 10446).
    That means the "sasl_server_mechanisms_value" memory must be freed twice, leading to double free issues.
int sasl_mechanisms_get_sasl_server_mechanisms(SASL_MECHANISMS_HANDLE sasl_mechanisms, AMQP_VALUE* sasl_server_mechanisms_value)
{
    ...
                            else
                            {
                                AMQP_VALUE single_amqp_value = amqpvalue_create_symbol(sasl_server_mechanisms_single_value);
                                if (single_amqp_value == NULL)
                                {
                                    amqpvalue_destroy(*sasl_server_mechanisms_value);    //may be double-free issues
                                    result = MU_FAILURE;
                                }
                                else
                                {
                                    if (amqpvalue_add_array_item(*sasl_server_mechanisms_value, single_amqp_value) != 0)
                                    {
                                        amqpvalue_destroy(*sasl_server_mechanisms_value);    //may be double-free issues
                                        amqpvalue_destroy(single_amqp_value);
                                        result = MU_FAILURE;
                                    }
                                    else
                                    {
                                        if (amqpvalue_set_composite_item(sasl_mechanisms_instance->composite_value, 0, *sasl_server_mechanisms_value) != 0)
                                        {
                                            amqpvalue_destroy(*sasl_server_mechanisms_value);    //may be double-free issues
                                            result = MU_FAILURE;
                                        }
                                        else
                                        {
                                            result = 0;
                                        }
                                    }

                                    amqpvalue_destroy(single_amqp_value);
                                }
                                amqpvalue_destroy(*sasl_server_mechanisms_value);    //Double-Free issue.
                            }
                        }
                        else
                        {
                            result = 0;
                        }
                    }
                }
            }
        }
    }

    return result;
}
  1. src/cbs.c
    https://github.com/Azure/azure-uamqp-c/blob/master/src/cbs.c
    In cbs_put_token_async function, "token_value" memory is freed by message_set_body_amqp_value() in Line 549 first. And then "token_value" memory is freed again in the end of function (Line 639) by amqpvalue_destroy(), causing double free issues.
ASYNC_OPERATION_HANDLE cbs_put_token_async(CBS_HANDLE cbs, const char* type, const char* audience, const char* token, ON_CBS_OPERATION_COMPLETE on_cbs_put_token_complete, void* on_cbs_put_token_complete_context)
{
    ...
                /* Codes_SRS_CBS_01_009: [ The body of the message MUST contain the token. ]*/
                if (message_set_body_amqp_value(message, token_value) != 0)    //!!! token_value is freed by message_set_body_amqp_value
                {
                    /* Codes_SRS_CBS_01_072: [ If constructing the message fails, `cbs_put_token_async` shall fail and return a non-zero value. ]*/
                    LogError("Failed setting the token in the message body");
                    result = NULL;
                }
    ...
            message_destroy(message);    //!!! token_value is freed again --- Double Free issues
        }
    }

    return result;
}
@kydahe kydahe changed the title src/amqp_definitions.c exists memory double-free issues src/amqp_definitions.c, src/cbs.c exist memory double-free issues Aug 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kydahe