AVSystem / Anjay

C implementation of the client-side OMA LwM2M protocol
Other
189 stars 70 forks source link

Segmentation fault due to 'use after free' caused by on_network_error() #45

Closed dkdanilka closed 4 years ago

dkdanilka commented 4 years ago

The following flow triggers "Segmentation fault": trigger_observe()->flush_next_unsent()->on_entry_flushed()->on_network_error()->_anjay_server_on_failure()

anjay_observe_connection_entry_t pointer is not valid anymore after _anjay_server_on_failure(). This routine calls _anjay_observe_cleanup_connection() which in turn releases allocated memroy for currently used anjay_observe_connection_entry_t structure.

In my case I have segmentation fault in cleanup_serialization_state()->_anjay_output_ctx_destroy() because conn->serialization_state.out_ctx points to invalid memory.

This segmentation fault is sporadic because released memory can be partially valid after free() some time. However, it can be reproduced every time if the following libc feature was enabled: export MALLOCPERTURB=255

I can reproduce it on 2.2.1, but most probably 2.4.2 has this issue as well.

kFYatek commented 4 years ago

First of all, thank you for the report and analysis.

When we attempted to reproduce your problem, we found different kinds of errors than you report. However, we indeed identified some problems with error handling in that part of the code.

Hopefully this is fixed in today's 2.4.3 release. Please check if this solves your problems.

dkdanilka commented 4 years ago

I have checked the source code of 2.5.0 and I see the issue I described was fixed in 2.4.4. The following diff resolves the issue. git show 2.4.4 src/core/observe/anjay_observe_core.c