Re: (ITS#9097) lmdb: premature free of env->me_txn0

Tuesday, 15 October 2019

christopher(a)gmerlin.de wrote:
...
 Full_Name: Christopher Zimmermann
 Version: lmdb 0.9.24
 OS: OpenBSD
 URL: ftp://ftp.openldap.org/incoming/
 Submission from: (NULL) (85.212.180.240)

 Hi,

 I can reliably hit a Bus error on OpenBSD.
 This is triggered by OpenBSDs malloc/free junking [1] and a use-after-free bug
 in lmdb.

 Steps to reproduce:
 - begin a read/write transaction (getting env->me_txn0)
 - fill the environment
   -> returns MDB_MAP_FULL
   -> sets txn->mt_flags |= MDB_TXN_ERROR; (This is also env->me_txn0 !)
   -> calls mdb_txn_abort ...
...
 - abort the transaction (again) with mdb_abort() 
This is a bug in your code, you can't call txn_abort twice. This is
already documented. Closing this ITS.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006