-
Nisha Gopalakrishnan authored
Analysis: --------- Invalid memory access maybe observed when using prepared statements if: a) The mysql client connection is lost after statement preparation is complete and b) There is at least one statement which is in initialized state but not prepared yet. When the client detects a closed connection, it calls end_server() to shutdown the connection. As part of the clean up, the mysql_prune_stmt_list() removes the statements which has transitioned beyond the initialized state and retains only the statements which are in a initialized state. During this processing, the initialized statements are moved from 'mysql->stmts' to a temporary 'pruned_list'. When moving the first 'INIT_DONE' element to the pruned_list, 'element->next' is set to NULL. Hence the rest of the list is never traversed and the statements which have transitioned beyond the initialized state are never invalidated. When the mysql_stmt_close() is called for the statement which is not invalidated; the statements list is updated in order to remove the statement. This would end up accessing freed memory(freed by the mysql_stmt_close() for a previous statement in the list). Fix: --- mysql_prune_stmt_list() called list_add() incorrectly to create a temporary list. The use case of list_add() is to add a single element to the front of the doubly linked list. mysql_prune_stmt_list() called list_add() by passing an entire list as the 'element'. mysql_prune_stmt_list() now uses list_delete() to remove the statement which has transitioned beyond the initialized phase. Thus the statement list would contain only elements where the the state of the statement is initialized. Note: Run the test with valgrind-mysqltest and leak-check=full option to see the invalid memory access.
Nisha Gopalakrishnan authoredAnalysis: --------- Invalid memory access maybe observed when using prepared statements if: a) The mysql client connection is lost after statement preparation is complete and b) There is at least one statement which is in initialized state but not prepared yet. When the client detects a closed connection, it calls end_server() to shutdown the connection. As part of the clean up, the mysql_prune_stmt_list() removes the statements which has transitioned beyond the initialized state and retains only the statements which are in a initialized state. During this processing, the initialized statements are moved from 'mysql->stmts' to a temporary 'pruned_list'. When moving the first 'INIT_DONE' element to the pruned_list, 'element->next' is set to NULL. Hence the rest of the list is never traversed and the statements which have transitioned beyond the initialized state are never invalidated. When the mysql_stmt_close() is called for the statement which is not invalidated; the statements list is updated in order to remove the statement. This would end up accessing freed memory(freed by the mysql_stmt_close() for a previous statement in the list). Fix: --- mysql_prune_stmt_list() called list_add() incorrectly to create a temporary list. The use case of list_add() is to add a single element to the front of the doubly linked list. mysql_prune_stmt_list() called list_add() by passing an entire list as the 'element'. mysql_prune_stmt_list() now uses list_delete() to remove the statement which has transitioned beyond the initialized phase. Thus the statement list would contain only elements where the the state of the statement is initialized. Note: Run the test with valgrind-mysqltest and leak-check=full option to see the invalid memory access.
Loading