Segmentation fault due to 'use after free' caused by on_network_error()

[dkdanilka]

The following flow triggers "Segmentation fault": trigger_observe()->flush_next_unsent()->on_entry_flushed()->on_network_error()->_anjay_server_on_failure()

anjay_observe_connection_entry_t pointer is not valid anymore after _anjay_server_on_failure(). This routine calls _anjay_observe_cleanup_connection() which in turn releases allocated memroy for currently used anjay_observe_connection_entry_t structure.

In my case I have segmentation fault in cleanup_serialization_state()->_anjay_output_ctx_destroy() because conn->serialization_state.out_ctx points to invalid memory.

This segmentation fault is sporadic because released memory can be partially valid after free() some time. However, it can be reproduced every time if the following libc feature was enabled: export MALLOCPERTURB=255

I can reproduce it on 2.2.1, but most probably 2.4.2 has this issue as well.

[kFYatek]

First of all, thank you for the report and analysis.

When we attempted to reproduce your problem, we found different kinds of errors than you report. However, we indeed identified some problems with error handling in that part of the code.

Hopefully this is fixed in today's 2.4.3 release. Please check if this solves your problems.

[dkdanilka]

I have checked the source code of 2.5.0 and I see the issue I described was fixed in 2.4.4. The following diff resolves the issue. git show 2.4.4 src/core/observe/anjay_observe_core.c