Bug #87948 Use after free in rapid/plugin/x/mysqlxtest_src/mysqlx_protocol.cc
Submitted: 3 Oct 2017 7:25 Modified: 3 Jan 13:06
Reporter: Tom Shi Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Document Store: X Plugin Severity:S3 (Non-critical)
Version:5.7, 5.7.19 OS:Any
Assigned to: CPU Architecture:Any

[3 Oct 2017 7:25] Tom Shi
Here is a use-after-free vulnerability: https://github.com/mysql/mysql-server/blob/5.7/rapid/plugin/x/mysqlxtest_src/mysqlx_protoc...

if (!ret_val->IsInitialized())
      delete[] mbuf;
      delete ret_val;  // <---- delete ret_val here
      std::string err("Message is not properly initialized: ");
      err += ret_val->InitializationErrorString(); // <---- use ret_val here
      throw Error(CR_MALFORMED_PACKET, err);

Although it is in the test code, it is better to fix...

How to repeat:
It can be repeat always...
[3 Oct 2017 8:11] Umesh Shastry
Hello Tom Shi,

Thank you for the report and feedback!

[3 Jan 13:06] Margaret Fisher
Posted by developer:
Test case, no changelog entry required - closing.