The issue is in message_sender.c:104 (on_delivery_settled);
A disposition is received for a pending message previously sent;
The delivery_state is garbled (due to fuzzing) and cannot be decoded (with amqpvalue_get_inplace_descriptor);
Since it is not decoded, the on_message_send_complete callback is not invoked (which would land on cbs.c:on_amqp_management_execute_operation_complete, which would release hold of the ASYNC_OPERATION_HANDLE [cbs_operation->token_operation_async_context] related to this message [cbs.c:257:async_operation_destroy]);
However, on_delivery_settled proceeds to destroy the ASYNC_OPERATION_HANDLE anyway (message_sender.c:154:remove_pending_message);
Now when the cbs instance is destroyed, it will still attempt to destroy the pending ASYNC_OPERATION_HANDLE (cbs_operation->token_operation_async_context) as it has never received a response, causing a memory access violation.
Note: there are no unit tests for message_sender.c, so no tests were updated or added.
This bug was detected using fuzzing tests.
Root cause:
delivery_stateis garbled (due to fuzzing) and cannot be decoded (withamqpvalue_get_inplace_descriptor);on_message_send_completecallback is not invoked (which would land on cbs.c:on_amqp_management_execute_operation_complete, which would release hold of the ASYNC_OPERATION_HANDLE [cbs_operation->token_operation_async_context] related to this message [cbs.c:257:async_operation_destroy]);on_delivery_settledproceeds to destroy the ASYNC_OPERATION_HANDLE anyway (message_sender.c:154:remove_pending_message);Note: there are no unit tests for message_sender.c, so no tests were updated or added.