Do not call MMDB_free_entry_data_list() on libmaxminddb failures #39
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
After upgrading libmaxminddb from 1.11.0 to 1.12.0,
t/MaxMind/DB/Reader-broken-databases.t started to segfault. A minimal
reproducer is:
use MaxMind::DB::Reader;
# Test broken doubles
my $reader = MaxMind::DB::Reader->new( file => 'maxmind-db/test-data/GeoIP2-City-Test-Broken-Double-Format.mmdb');
$reader->record_for_address('2001:220::');
The cause was that MaxMind-DB-Reader-XS called
MMDB_free_entry_data_list(entry_data_list) when handling
a MMDB_get_entry_data_list(, &entry_data_list) failure. But
MMDB_get_entry_data_list() did not initialize the pointer in case of
error.
That was not true even before libmaxminddb 1.12.0, but because
previous libmaxminddb versions did not free the memory itself, the
erroneous MMDB_free_entry_data_list() call actually operated on valid
data and no crash occured. When libmaxminddb 1.12.0 started correctly
to clean up on the error, MaxMind-DB-Reader-XS started to double-free
entry_data_list leading to a crash.
This bug was introduced with e5322e5
commit ("free entry data list before croaking on failed calls to get
entry data list").
This patch removes all MMDB_free_entry_data_list() calls when handling
libmaxminddb failures as the pointer is supposed to be undefined in
that case. This patch does not conditionalize this change on
libmaxminddb version because it's better to leak a memory than to
crash after updating libmaxminddb.
|
Thanks for the analysis and the PR. We decided to resolve the issue in |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jan 12, 2025
## 1.12.2 - 2025-01-10 * `MMDB_get_entry_data_list()` now always sets the passed `entry_data_list` parameter to either `NULL` or valid memory. This makes it safe for callers to use `MMDB_free_entry_data_list()` on it even in case of error. In 1.12.0 `MMDB_get_entry_data_list()` was changed to not set this parameter to valid memory in additional error cases. That change caused segfaults for certain libraries that assumed it was safe to free memory on error. Doing so was never safe, but worked in some cases. This change makes such calls safe. Reported by Petr Pisar. GitHub maxmind/MaxMind-DB-Reader-XS#39. ## 1.12.1 - 2025-01-08 * Added missing `cmake_uninstall.cmake.in` to the source distribution. This was missing from 1.12.0, causing CMake builds to fail. Reported by Marcel Raad. GitHub #367. ## 1.12.0 - 2025-01-07 * Fixed memory leaks in `MMDB_open()`. These could happen with invalid databases or in error situations such as failing to allocate memory. As part of the fix, `MMDB_get_entry_data_list()` now frees memory it allocates on additional errors. Previously it failed to clean up when certain errors occurred. Pull request by pkillarjun. GitHub #356. * There is now a build target to fuzz the library. Pull request by pkillarjun. GitHub #357. * Updated `cmake_minimum_required` to a version range to quiet deprecation warnings on new CMake versions. Reported by gmou3. GitHub #359. * The script for generating man pages no longer uses `autodie`. This eliminates the dependency on `IPC::System::Simple`. Reported by gmou3. GitHub #359. * An uninstall target is now included for CMake. Pull request by gmou3. GitHub #362.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After upgrading libmaxminddb from 1.11.0 to 1.12.0, t/MaxMind/DB/Reader-broken-databases.t started to segfault. A minimal reproducer is:
The cause was that MaxMind-DB-Reader-XS called
MMDB_free_entry_data_list(entry_data_list) when handling a MMDB_get_entry_data_list(, &entry_data_list) failure. But MMDB_get_entry_data_list() did not initialize the pointer in case of error.
That was not true even before libmaxminddb 1.12.0, but because previous libmaxminddb versions did not free the memory itself, the erroneous MMDB_free_entry_data_list() call actually operated on valid data and no crash occured. When libmaxminddb 1.12.0 started correctly to clean up on the error, MaxMind-DB-Reader-XS started to double-free entry_data_list leading to a crash.
This bug was introduced with e5322e5 commit ("free entry data list before croaking on failed calls to get entry data list").
This patch removes all MMDB_free_entry_data_list() calls when handling libmaxminddb failures as the pointer is supposed to be undefined in that case. This patch does not conditionalize this change on libmaxminddb version because it's better to leak a memory than to crash after updating libmaxminddb.