#3917 Double free error in tev_curl
Closed: Fixed 10 months ago Opened 10 months ago by atikhonov.

When tev_curl.c : schedule_fd_processing() schedules new timer event by request of libcurl, it cancels previous timer:

talloc_zfree(tctx->process_timer);

That's fine if:
* timer was not set (i.e. process_timer == NULL)
* didn't fire yet
* in the process of execution (that happens, but timer's "destructor" protects mem from being freed)

But that leads to double free if timer has already fired (since libtevent deletes event after execution):

[sssd[kcm]] [schedule_fd_processing] (0x2000): timeout_ms: 0
[sssd[kcm]] [schedule_fd_processing] (0x2000):  trying to release non-zero ptr (0x564e354033b0)
[sssd[kcm]] [talloc_log_fn] (0x0010): Bad talloc magic value - unknown value

While nature of this bug has nothing specific to Debian, from my observation this is exactly the reason why Internal CI fails on debian_testing machine. It seems timings are a little bit different there and chances of timer to be executed before schedule_fd_processing tries (and fails) to delete it are higher.


Metadata Update from @atikhonov:
- Issue assigned to atikhonov

10 months ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

10 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

10 months ago

Can we also close #3897 after this commit?

Can we also close #3897 after this commit?

Commented there

Login to comment on this ticket.

Metadata