Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
None
-
None
Description
There is no way to resolve situations when mysql_real_connect_cont (after called repeatedly until 0 is returned) fails to initialize a connection:
If one tries to call mysql_close (or async counterpart) on the mysql handler, mysql_close invokes use after free or double free.
If one doesn't call mysql_close, then the memory is leaked (probably options, but not sure https://github.com/mariadb-corporation/mariadb-connector-c/blob/3.3/libmariadb/mariadb_lib.c#L2011).
Use after free comes from here:
first free: https://github.com/mariadb-corporation/mariadb-connector-c/blob/3.3/libmariadb/mariadb_lib.c#L1729
second free: https://github.com/mariadb-corporation/mariadb-connector-c/blob/3.3/libmariadb/mariadb_lib.c#L2382
If this is indeed a bug this renders mariadb-connector-c async functionality borderline unusable or at the very least unsound in long-running server applications.
Repro is attached, one could either follow the README to run it dockerized or just test on host machine
Attachments
Activity
| Field | Original Value | New Value |
|---|---|---|
| Attachment | unrecoverable_mysql_real_connect_cont.zip [ 67565 ] |
| Fix Version/s | 3.3.4 [ 28434 ] |
| Status | Open [ 1 ] | Confirmed [ 10101 ] |
| Component/s | Non blocking API [ 19006 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Confirmed [ 10101 ] | Closed [ 6 ] |