-
Type: Bug
-
Resolution: Fixed
-
Priority: Critical - P2
-
Affects Version/s: 1.5.0
-
Component/s: None
-
None
Session::endSession() calls mongoc_client_session_destroy(), which frees the session object; however, it leaves the intern->client_session as-is. This can lead to a double-free (later from php_phongo_session_free_object()) or possible use-after-free bugs due to other methods. The double-free case is trivially fixed by assigning NULL after calling mongoc_client_session_destroy() but the use-after-free fix will require additional checks in other methods that currently assume intern->client_session is non-null.
Note: We typically don't assign NULL to our resource pointers after destroying them because that destruction happens during a free_object handler and the zval struct will soon be freed; however that is not the case for endSession().
- is related to
-
PHPC-1231 Add Session::isInTransaction to indicate whether a transaction is active
- Closed