Invalid read in plugin-libevent.c

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0.7, 2.0.2
Fix Version/s: 2.0.3
Component/s: library
Security Level: Public
Labels:
None
Environment:
Centos 5.5, Couchbase server 1.8, libcouchbase 1.02

Description

In plugin-libevent.c, event_new() mallocs a "struct event", which is not initialized, then passes it to event_assign(), which passes it into event_base_set(), causing an invalid read. We picked it up during a valgrind run of our program.

See lines 47 - 78 here: https://github.com/couchbase/libcouchbase/blob/master/plugins/io/libevent/plugin-libevent.c

Proposed patch:

Index: libcouchbase/src/plugin-libevent.c
===================================================================
--- libcouchbase/src/plugin-libevent.c (revision 16)
+++ libcouchbase/src/plugin-libevent.c (working copy)
@@ -47,7 +47,6 @@
              event_callback_fn callback,
              void *arg)
{
- event_base_set(base, ev);
     ev->ev_callback = callback;
     ev->ev_arg = arg;
     ev->ev_fd = fd;
@@ -56,6 +55,7 @@
     ev->ev_flags = EVLIST_INIT;
     ev->ev_ncalls = 0;
     ev->ev_pncalls = NULL;
+ event_base_set(base, ev);

     return 0;
}

Activity

Ascending order - Click to sort in descending order

Sergey Avseyev made changes - 29/Jan/13 3:15 PM

Field	Original Value	New Value
Fix Version/s		2.0.3 [ 10470 ]

Hide

Permalink

Sergey Avseyev added a comment - 31/Jan/13 2:12 AM

http://review.couchbase.org/24316

Show

Sergey Avseyev added a comment - 31/Jan/13 2:12 AM http://review.couchbase.org/24316

Sergey Avseyev made changes - 31/Jan/13 2:12 AM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

Sergey Avseyev made changes - 06/Feb/13 1:48 PM

Status

Resolved [ 5 ]

Closed [ 6 ]

People

Assignee:

Sergey Avseyev

Reporter:

James

Vote (0)

Watch (0)

Dates

Created:

23/Jan/13 8:53 AM

Updated:

06/Feb/13 1:48 PM

Resolved:

31/Jan/13 2:12 AM

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified

Agile

View on Board