search

apache / rocketmq-client-cpp

Apache RocketMQ cpp client
https://rocketmq.apache.org/
Apache License 2.0
360 stars 158 forks source link

[vulnerability] Mismatched free in CProducer #426

Closed ChrisZhangJin closed 2 years ago

ChrisZhangJin commented 2 years ago

I found there is a mismatched free in CProducer, scanned by Valgrind.

valgrind report

here is the report sample,

==1570== Mismatched free() / delete / delete [] ==1570== at 0x4C2B51D: operator delete(void*) (vg_replace_malloc.c:586) ==1570== by 0x1736BC86: DestroyProducer (in /usr/lib64/librocketmq.so) ... .... ==1570== Address 0xd1cfb10 is 0 bytes inside a block of size 256 alloc'd ==1570== at 0x4C2AC38: operator new[](unsigned long) (vg_replace_malloc.c:433) ==1570== by 0x1736B7F9: CreateProducer (in /usr/lib64/librocketmq.so) ... ....

the corresponding code

I checked the code, and found it was exactly mismatched for deleting a char array. here is the new image while here is the delete image

found version:

I just used 2.0.1 and 2.2.0, but both same with it.

It is a vulnerability, not a literally bug actually.

ShannonDing commented 2 years ago

yes, it seems a memory leak. could you pls create a pr to fix it?

ChrisZhangJin commented 2 years ago

i'd love to, but i found it was fixed in master, here is the commit [6523dcc3b309a1065375e40657f68f66bfeca38d] image