Do not call MMDB_free_entry_data_list() on libmaxminddb failures #39
+0
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
After upgrading libmaxminddb from 1.11.0 to 1.12.0,
t/MaxMind/DB/Reader-broken-databases.t started to segfault. A minimal
reproducer is:
use MaxMind::DB::Reader;
# Test broken doubles
my $reader = MaxMind::DB::Reader->new( file => 'maxmind-db/test-data/GeoIP2-City-Test-Broken-Double-Format.mmdb');
$reader->record_for_address('2001:220::');
The cause was that MaxMind-DB-Reader-XS called
MMDB_free_entry_data_list(entry_data_list) when handling
a MMDB_get_entry_data_list(, &entry_data_list) failure. But
MMDB_get_entry_data_list() did not initialize the pointer in case of
error.
That was not true even before libmaxminddb 1.12.0, but because
previous libmaxminddb versions did not free the memory itself, the
erroneous MMDB_free_entry_data_list() call actually operated on valid
data and no crash occured. When libmaxminddb 1.12.0 started correctly
to clean up on the error, MaxMind-DB-Reader-XS started to double-free
entry_data_list leading to a crash.
This bug was introduced with e5322e5
commit ("free entry data list before croaking on failed calls to get
entry data list").
This patch removes all MMDB_free_entry_data_list() calls when handling
libmaxminddb failures as the pointer is supposed to be undefined in
that case. This patch does not conditionalize this change on
libmaxminddb version because it's better to leak a memory than to
crash after updating libmaxminddb.
|
Thanks for the analysis and the PR. We decided to resolve the issue in |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After upgrading libmaxminddb from 1.11.0 to 1.12.0, t/MaxMind/DB/Reader-broken-databases.t started to segfault. A minimal reproducer is:
The cause was that MaxMind-DB-Reader-XS called
MMDB_free_entry_data_list(entry_data_list) when handling a MMDB_get_entry_data_list(, &entry_data_list) failure. But MMDB_get_entry_data_list() did not initialize the pointer in case of error.
That was not true even before libmaxminddb 1.12.0, but because previous libmaxminddb versions did not free the memory itself, the erroneous MMDB_free_entry_data_list() call actually operated on valid data and no crash occured. When libmaxminddb 1.12.0 started correctly to clean up on the error, MaxMind-DB-Reader-XS started to double-free entry_data_list leading to a crash.
This bug was introduced with e5322e5 commit ("free entry data list before croaking on failed calls to get entry data list").
This patch removes all MMDB_free_entry_data_list() calls when handling libmaxminddb failures as the pointer is supposed to be undefined in that case. This patch does not conditionalize this change on libmaxminddb version because it's better to leak a memory than to crash after updating libmaxminddb.