Package: libdbi1 Version: 0.9.0-3 Severity: serious Tags: upstream Hi,
I'm seeing a double-free in dbi_shutdown_r which happens after a connection attempt (using dbi_conn_connect) fails and dbi_conn_close was called. I don't have a full reproduction case yet but I think this is related to the fix for #745980. I *assume* that the following happens: - dbi_conn_open adds the new connection to an internal list (using _update_internal_conn_list) - dbi_conn_connect does not touch that list - when calling dbi_conn_close after connect failed (supposedly conn->connection == NULL), the connection is not removed since dbi_conn_close returns early but after freeing the connection object (_update_internal_conn_list would only happen when not returning early) - when calling dbi_shutdown_r, the connection is still in the internal list and another attempt to close the connection is done causing an invalid read and the double-free I think the right fix is to not return early at all in dbi_conn_close but instead guard each single operation by checking if the required fields are set (similar to how it's done in most cases already). Let me know if you need any other information -- I can then try to come up with a small test-case which reproduces the problem. TIA, Sebastian -- Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
signature.asc
Description: Digital signature
