Finding bugs by reading documentation - Asylum

submited by
Style Pass
2021-09-26 01:00:03

I wrote the riemann-c-client library in 2013, and has been maintaining it since. The last release was in 2018, and I pretty much considered the library done and finished, not needing neither development, nor much of maintenance either. Yet, I have released a new version today, after more than three years of no releases - because I re-read the documentation, and spotted a case where the code didn't match documentation, and under some (very rare) circumstances, may have resulted in memory corruption leading to undefined behaviour.

For one reason or another, I've been reviewing the library documentation - I sometimes do that, to see if it can be improved. Years after not touching something, I tend to forget how it works, and if the documentation helps me refresh my memory, we're good. Now, a particular part of it, one describing the riemann_client_connect() function, it lists all the options available for TLS connections, most of them explicitly specifying that the argument to the option is copied, and can be free'd by the caller safely. However, at that time, it did not specify that for the last option, RIEMANN_CLIENT_OPTION_TLS_PRIORITIES, and I went wondering why - must be a documentation error!

So I went to correct the documentation. But before doing so, I checked that it is correct, and that we do copy the values. We did not. None of them. My first reaction was quite a big shock, because this could lead to memory corruption, if we free the values before we use them.

Leave a Comment