Uploaded image for project: 'PHP Driver: Extension'
  1. PHP Driver: Extension
  2. PHPC-1243

Calling session methods after Session::endSession() causes use-after-free crash

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 1.5.2
    • Affects Version/s: 1.5.0
    • Component/s: None
    • None

      Session::endSession() calls mongoc_client_session_destroy(), which frees the session object; however, it leaves the intern->client_session as-is. This can lead to a double-free (later from php_phongo_session_free_object()) or possible use-after-free bugs due to other methods. The double-free case is trivially fixed by assigning NULL after calling mongoc_client_session_destroy() but the use-after-free fix will require additional checks in other methods that currently assume intern->client_session is non-null.

      Note: We typically don't assign NULL to our resource pointers after destroying them because that destruction happens during a free_object handler and the zval struct will soon be freed; however that is not the case for endSession().

            Assignee:
            derick Derick Rethans
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: