[xmlsec] Valgrind reports an invalid read that can lead to crash

Frank Gross fg at 4js.com
Wed Jan 6 05:21:54 PST 2010


   I had some random crashes using the xmlsec library for signature, so 
I did a test with valgrind that reported an invalid read (see attached 
valgrind output). You can see that it happens in the 
'xmlXPathFreeNodeSet' function that is called in 'xmlSecNodeSetDestroy'.

After some investigations, I find out that it is related to the use of 
an XPath transformation that builds a list of 'xmlSecNodeSetPtr' in the 
'xmlSecXPathDataListExecute' function. In that function a new 
'xmlSecNodeSetPtr' is added at the end of the list but containing the 
nodes to be signed according to the XPath expression. Unfortunately, the 
first 'xmlSecNodeSetPtr' of that list has the 'destroyDoc' boolean set 
to 1 that tells the 'xmlSecNodeSetDestroy' function to release the whole 
document, and when it is the next 'xmlSecNodeSetPtr' of the list to be 
destroyed it tries to release the node resulting of the XPath 
expression, but they don't exist anymore because the document they 
belong to has been released just before.

To solve the problem I set the 'destroyDoc' of the first element to 0, 
and put it to 1 on the last element of the list, so that the document is 
only released at the very end. Actually, I simply add following code at 
the end of the xmlSecXPathDataListExecute function just before the 
return instruction.

    if (res->destroyDoc) {
      /* force the releasing of the document at the end of the list 
otherwise xmlSecNodeSetDestroy can crash
        because it will release the doc in the first node set but the 
following ones have references to this document too
      res->destroyDoc = 0;
      res->prev->destroyDoc = 1;


 I don't know if it is correct to do so or if there are some side 
effects but it seems to fix my issue.


Software Engineer - Web Services
Four J's Development Tools - http://www.4js.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: val.xml
Type: text/xml
Size: 11626 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20100106/c282e710/attachment.xml>

More information about the xmlsec mailing list