Bug #26875
closedkv: MergeOperator name() returns string, and caller calls c_str() on the temporary
0%
Description
On Tue, 7 Aug 2018, Réka Nikolett Kovács wrote:
Hi,
I am working on a bug finding tool that looks for a special kind of a
use-after-free problem in C++ code (a "checker" module in the Clang
Static Analyzer [1]), and I've been running it on a few projects to
see if it finds anything interesting.I've found the following on line 131 in ceph/src/kv/RocksDBStore.cc
[2], where I suspect we are returning a pointer to a deallocated
memory region:return mop->name().c_str();
Here, mop is a std::shared_ptr<KeyValueDB::MergeOperator>, and name()
seems to return a string by value [3], a temporary object, on which
c_str() is called to obtain a const char * pointing to its inner
buffer. But the temporary string object is destroyed at the end of the
return statement, and the caller receives a pointer that references a
deallocated buffer.I hope you find this report useful.
Updated by Kefu Chai over 5 years ago
- Status changed from In Progress to Fix Under Review
Updated by Kefu Chai over 5 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Patrick Donnelly over 5 years ago
- Copied to Backport #26907: mimic: kv: MergeOperator name() returns string, and caller calls c_str() on the temporary added
Updated by Patrick Donnelly over 5 years ago
- Copied to Backport #26908: luminous: kv: MergeOperator name() returns string, and caller calls c_str() on the temporary added
Updated by Nathan Cutler over 5 years ago
- Status changed from Pending Backport to Resolved