admin: fix use-after-free in coord_request error path

piochelepiotr · claude · piochelepiotr · commit 6f5f7a360cc9 · 2026-04-08T12:36:26.000-06:00
When rd_kafka_admin_coord_request()'s request() call fails, the error path called rd_kafka_admin_common_worker_destroy() which freed the eonce object. However, the caller (rd_kafka_coord_req_fsm) still holds a reference to the eonce and passes it to rd_kafka_coord_req_fail(), which enqueues a dummy error response carrying the (now-freed) eonce as opaque. When rd_kafka_admin_coord_response_parse() later processes that response and calls rd_kafka_enq_once_del_source_return(), it accesses freed memory, triggering an assertion failure and abort: rd_kafka_enq_once_del_source_return: Assertion `eonce->refcnt > 0' Fix by not calling worker_destroy() in the error path of rd_kafka_admin_coord_request(). Instead, let the error propagate through the normal coord_req_fail -> coord_response_parse path, which already handles cleanup correctly. This affects all coordinator-targeted Admin API operations: DescribeConsumerGroups, DeleteConsumerGroupOffsets, ListConsumerGroupOffsets, and similar. Fixes #4605 Fixes #3663 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,19 @@
+# librdkafka v2.14.1 (unreleased)
+
+## Fixes
+
+### Admin client fixes
+
+* Fix use-after-free in `rd_kafka_admin_coord_request()` error path
+  that caused an assertion failure
+  (`rd_kafka_enq_once_del_source_return: Assertion 'eonce->refcnt > 0' failed`)
+  and process abort when a coordinator-targeted Admin API request
+  (e.g., DescribeConsumerGroups, DeleteConsumerGroupOffsets,
+  ListConsumerGroupOffsets) failed to send.
+  The error path prematurely destroyed the eonce while the caller
+  (coord_req_fsm) still held a reference to it (#4605, #3663).
+
+
 # librdkafka v2.14.0
 
 librdkafka v2.14.0 is a feature release:
diff --git a/src/rdkafka_admin.c b/src/rdkafka_admin.c
@@ -480,7 +480,6 @@ rd_kafka_admin_coord_request(rd_kafka_broker_t *rkb,
                              rd_kafka_replyq_t replyq,
                              rd_kafka_resp_cb_t *resp_cb,
                              void *opaque) {
-        rd_kafka_t *rk             = rkb->rkb_rk;
         rd_kafka_enq_once_t *eonce = opaque;
         rd_kafka_op_t *rko;
         char errstr[512];
@@ -500,11 +499,17 @@ rd_kafka_admin_coord_request(rd_kafka_broker_t *rkb,
             rd_kafka_admin_handle_response, eonce);
 
         if (err) {
-                rd_kafka_admin_result_fail(
-                    rko, err, "%s worker failed to send request: %s",
-                    rd_kafka_op2str(rko->rko_type), errstr);
-                rd_kafka_admin_common_worker_destroy(rk, rko,
-                                                     rd_true /*destroy*/);
+                /* Do not call worker_destroy() here. The caller
+                 * (rd_kafka_coord_req_fsm) will call coord_req_fail()
+                 * which enqueues a dummy error response carrying the eonce
+                 * as opaque. coord_response_parse() will then pick up the
+                 * rko via del_source_return("coordinator response"),
+                 * see the error, and call worker_destroy() itself.
+                 *
+                 * Calling worker_destroy() here would free the eonce while
+                 * the caller still holds a reference to it, leading to a
+                 * use-after-free / assertion failure in
+                 * rd_kafka_enq_once_del_source_return(). */
         }
         return err;
 }
