Fix use-after-free bug of DataType value.

xiaoxq · web-flow · commit c2ed5b6dc374 · 2017-08-31T14:27:37.000-07:00
Everytime when we call DataType&lt;T&gt;::value(), a new string is constructed and assign to the static data_type. So if we call it twice, the first one has been released when we get the second one.

std::string data_type(value1, strlen(value2));

If the parameters are evaluated from left to right, value1 becomes invalid while we are using it to construct data_type.
This is the simplest fix, which passes a single c_str as parameter.
A better solution is to refactor this whole piece of code, to try to avoid constructing data_type everytime, or avoid c_str.
diff --git a/ros/roscpp_core/roscpp_traits/include/ros/protobuffer_traits.h b/ros/roscpp_core/roscpp_traits/include/ros/protobuffer_traits.h
@@ -69,7 +69,7 @@ struct MD5Sum<T, typename boost::enable_if<boost::is_base_of< ::google::protobuf
 {
   static const char* value() 
   {
-    std::string data_type(DataType<T>::value(), strlen(DataType<T>::value()));
+    std::string data_type(DataType<T>::value());
     if (type_md5_map.count(data_type) == 0) 
     {
       type_md5_map[data_type] = ros::md5::MD5(data_type).toStr();

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ struct MD5Sum<T, typename boost::enable_if<boost::is_base_of< ::google::protobuf`
`69`	`69`	`{`
`70`	`70`	`static const char* value()`
`71`	`71`	`{`
`72`		`- std::string data_type(DataType<T>::value(), strlen(DataType<T>::value()));`
	`72`	`+ std::string data_type(DataType<T>::value());`
`73`	`73`	`if (type_md5_map.count(data_type) == 0)`
`74`	`74`	`{`
`75`	`75`	`type_md5_map[data_type] = ros::md5::MD5(data_type).toStr();`