Bug #54404 Host app crash during SQLDisconnect caused by reget_current_catalog
Submitted: 10 Jun 2010 15:29 Modified: 10 Jun 2010 16:05
Reporter: Edwin van Putten Email Updates:
Status: Duplicate Impact on me:
None 
Category:Connector / ODBC Severity:S1 (Critical)
Version:5.1.5GA / 5.1.6 OS:Any
Assigned to: CPU Architecture:Any
Tags: my_bool reget_current_catalog, SQLDisconnect, SQLFreeConnect

[10 Jun 2010 15:29] Edwin van Putten
Description:

Please look at source module "utility.c" at function: 

my_bool reget_current_catalog(DBC FAR *dbc)
{
    my_free(dbc->database,MYF(0));
    if ( odbc_stmt(dbc, "select database()") )
...

Here, the "dbc->database" memory is freed with "my_free". 
But, upon disconnecting from the database it's freed again:

SQLRETURN SQL_API SQLDisconnect(SQLHDBC hdbc)
{
  LIST *list_element, *next_element;
  DBC FAR *dbc= (DBC FAR*) hdbc;
...
  x_free(dbc->database);
...

The x_free on dbc->database leads to a host application crash as the heap gets corrupted....

This is related to bug report #48406 (but more compact). 

-- 
Edwin

How to repeat:

Create a database connection to a MySQL server.

Stop the MySQL server to emulate a connection failure.

Execute a SQLGetInfoW query and ask about the current catalog.
(you'll get an error "HY000:1:0:[MySQL][ODBC 5.1 Driver]SQLGetInfo() failed to return current catalog.");

(above query causes function 'reget_current_catalog' to be called, which destroys memory 'dbc->database')

Now disconnect the ODBC connection (SQLDisconnect + SQLFreeConnect)
 
Now an invalid address is specified to the heap manager and the host program crashes.

Suggested fix:

Fix reget_current_catalog in a way that it doesn't try to free that memory anymore. 

Or free its memory and then NULL the pointer properly to prevent it from ever being deallocated again...
[10 Jun 2010 16:05] Lawrenty Novitsky
Edwin,

I appreciate the time you've spent on reporting this bug. And I hate to mark it duplicate(of the Bug#46910). But probably you didn't really need to file this additional bug report since it describes the very same problem as your initial report.

Please see my comment on the Bug#48406 page. Before your last comment there, it wasn't obvious that is the same problem as in the Bug#46910 report. And also Tonci couldn't reproduce your crash...