[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9097) lmdb: premature free of env->me_txn0

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9097) lmdb: premature free of env->me_txn0
From: hyc@symas.com
Date: Wed, 16 Oct 2019 01:00:02 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

christopher@gmerlin.de wrote:
> Full_Name: Christopher Zimmermann
> Version: lmdb 0.9.24
> OS: OpenBSD
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (85.212.180.240)
> 
> 
> Hi,
> 
> I can reliably hit a Bus error on OpenBSD.
> This is triggered by OpenBSDs malloc/free junking [1] and a use-after-free bug
> in lmdb.
> 
> Steps to reproduce:
> - begin a read/write transaction (getting env->me_txn0)
> - fill the environment
>   -> returns MDB_MAP_FULL
>   -> sets txn->mt_flags |= MDB_TXN_ERROR; (This is also env->me_txn0 !)
>   -> calls mdb_txn_abort
...
> - abort the transaction (again) with mdb_abort()

This is a bug in your code, you can't call txn_abort twice. This is
already documented. Closing this ITS.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#9097) lmdb: premature free of env->me_txn0
Next by Date: Re: (ITS#9097) lmdb: premature free of env->me_txn0
Index(es):
- Chronological
- Thread