src/amqp_definitions.c and src/cbs.c exist memory double-free issues that free a memory which is already freed.
src/amqp_definitions.c
In sasl_mechanisms_get_sasl_server_mechanisms function, the second parameter "sasl_server_mechanisms_value" memory could be freed by amqpvalue_destroy() in Line 10420, 10427, 10435 and then was freed again in the end of function (Line 10446).
That means the "sasl_server_mechanisms_value" memory must be freed twice, leading to double free issues.
int sasl_mechanisms_get_sasl_server_mechanisms(SASL_MECHANISMS_HANDLE sasl_mechanisms, AMQP_VALUE* sasl_server_mechanisms_value)
{
...
else
{
AMQP_VALUE single_amqp_value = amqpvalue_create_symbol(sasl_server_mechanisms_single_value);
if (single_amqp_value == NULL)
{
amqpvalue_destroy(*sasl_server_mechanisms_value); //may be double-free issues
result = MU_FAILURE;
}
else
{
if (amqpvalue_add_array_item(*sasl_server_mechanisms_value, single_amqp_value) != 0)
{
amqpvalue_destroy(*sasl_server_mechanisms_value); //may be double-free issues
amqpvalue_destroy(single_amqp_value);
result = MU_FAILURE;
}
else
{
if (amqpvalue_set_composite_item(sasl_mechanisms_instance->composite_value, 0, *sasl_server_mechanisms_value) != 0)
{
amqpvalue_destroy(*sasl_server_mechanisms_value); //may be double-free issues
result = MU_FAILURE;
}
else
{
result = 0;
}
}
amqpvalue_destroy(single_amqp_value);
}
amqpvalue_destroy(*sasl_server_mechanisms_value); //Double-Free issue.
}
}
else
{
result = 0;
}
}
}
}
}
}
return result;
}
src/cbs.c
https://github.com/Azure/azure-uamqp-c/blob/master/src/cbs.c
In cbs_put_token_async function, "token_value" memory is freed by message_set_body_amqp_value() in Line 549 first. And then "token_value" memory is freed again in the end of function (Line 639) by amqpvalue_destroy(), causing double free issues.
ASYNC_OPERATION_HANDLE cbs_put_token_async(CBS_HANDLE cbs, const char* type, const char* audience, const char* token, ON_CBS_OPERATION_COMPLETE on_cbs_put_token_complete, void* on_cbs_put_token_complete_context)
{
...
/* Codes_SRS_CBS_01_009: [ The body of the message MUST contain the token. ]*/
if (message_set_body_amqp_value(message, token_value) != 0) //!!! token_value is freed by message_set_body_amqp_value
{
/* Codes_SRS_CBS_01_072: [ If constructing the message fails, `cbs_put_token_async` shall fail and return a non-zero value. ]*/
LogError("Failed setting the token in the message body");
result = NULL;
}
...
message_destroy(message); //!!! token_value is freed again --- Double Free issues
}
}
return result;
}
src/amqp_definitions.c and src/cbs.c exist memory double-free issues that free a memory which is already freed.