View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008072 | Taler | exchange | public | 2024-01-11 19:11 | 2024-03-07 20:49 |
| Reporter | fefe | Assigned To | oec | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Target Version | 0.9.4 | Fixed in Version | 0.9.4 | ||
| Summary | 0008072: csr_withdraw_done: use after free, double free | ||||
| Description | This is in exchange/src/lib/exchange_api_age_withdraw.c: 839 { 840 GNUNET_break (0); 841 TALER_EXCHANGE_age_withdraw_cancel (awh); 842 break; 843 } the break leaves the do-while-loop from 829 to 855. Same here: 849 { 850 GNUNET_break (0); 851 TALER_EXCHANGE_age_withdraw_cancel (awh); 852 break; 853 } This is the first statement after the do-while-loop: 855 } while(0); 856 857 awh->csr.pending--; The code then also does other things with awh, but only of success is true, which it would not be if one of the two breaks was taken. However, at the very end, the code does this: 868 TALER_EXCHANGE_age_withdraw_cancel (awh); which, among other things, tries to call free again. | ||||
| Tags | No tags attached. | ||||
|
|
The second fail clause apparently can't be triggered because the called function (TALER_coin_ev_hash) always returns success. Maybe we can make it a void function then and get rid of the handling of errors that can never happen? |
|
|
Yes, I agree, hash functions should not fail, so we should change it to return void. @oec: will you do it? |
|
|
Yes, I'll fix the issue and change the signature. |
|
|
Fixed with a6b35ee7d345aa11e0388733fb95f3a4d2e52180 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-01-11 19:11 | fefe | New Issue | |
| 2024-01-11 19:11 | fefe | Status | new => assigned |
| 2024-01-11 19:11 | fefe | Assigned To | => Christian Grothoff |
| 2024-01-11 19:13 | Christian Grothoff | Assigned To | Christian Grothoff => oec |
| 2024-01-11 19:14 | fefe | Note Added: 0020866 | |
| 2024-01-11 19:17 | Christian Grothoff | Note Added: 0020867 | |
| 2024-01-11 19:31 | oec | Note Added: 0020868 | |
| 2024-01-12 12:00 | oec | Status | assigned => resolved |
| 2024-01-12 12:00 | oec | Resolution | open => fixed |
| 2024-01-12 12:00 | oec | Fixed in Version | => git (master) |
| 2024-01-12 12:00 | oec | Note Added: 0020871 | |
| 2024-01-25 22:29 | Christian Grothoff | Fixed in Version | git (master) => 0.9.4 |
| 2024-01-25 22:29 | Christian Grothoff | Target Version | => 0.9.4 |
| 2024-03-07 20:49 | Christian Grothoff | Status | resolved => closed |
