Open GoesM opened 2 months ago
well, it seems that such issue has been fixed in ros2
branch :
but no such code to reset these pointers in both iron
and humble
branch.
Feel free to backport, happy to merge that for humble/iron
Shall I backport by cherry-pick
? 🤔 I think the past commit for this issue would change humble
a lot:
https://github.com/SteveMacenski/slam_toolbox/commit/de13553d9f92e3773da4b2ff6eebd1977b9337f6
I'd try cherry-pick, but if it looks too hard, I understand manual for this case.
Required Info:
Steps to reproduce issue
I use slam-toolbox (async) by following command :
Running Slam-Toolbox within AddressSanitizer , I always faced to such UAF report during shutdown-period
Expected behavior
No UAF occurs
Actual behavior
we could always face to an ASAN-report about UAF bug as following:
Additional information
the function
laserCallback()
is bind to thescan_filter_sub_
andscan_filter_
as following:https://github.com/SteveMacenski/slam_toolbox/blob/94cec982a7f850818187c81295d1212f145efe37/src/slam_toolbox_common.cpp#L233-L241
but here's no
reset()
for such two pointer in the destructorhttps://github.com/SteveMacenski/slam_toolbox/blob/94cec982a7f850818187c81295d1212f145efe37/src/slam_toolbox_common.cpp#L85-L101
So that, the callback-function might be still working after the node is destructed and cause the UAF bug as a result.