[SPRNET-1368] CacheResultAdvice may return incompatible objects Created: 21/Sep/10  Updated: 21/Sep/10  Resolved: 21/Sep/10

Status: Resolved
Project: Spring.NET
Component/s: Spring-NET-AOP
Affects Version/s: 1.2.0, 1.3.0, 1.3.1
Fix Version/s: 1.3.1

Type: Bug Priority: Blocker
Reporter: Chris Eldredge Assignee: Steve Bohlen
Resolution: Complete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File CacheResultAdvice.patch    


CacheResultAdvice does not validate an object returned by the underlying ICache implementation before allowing it to be returned. If a rogue object happens to be inserted into the cache, the aspect could return that object when it isn't compatible with the return type on the method signature. If the object returned is smaller than the expected type, access to fields on the expected type will exceed the bounds of the actual instance leading to access violations or unitialized memory being accessed by managed code. This can cause the .NET Runtime to crash with access violations or result in other unexpected errors.

Since this bug can trigger the .NET runtime to crash with an access violation, it should be treated as severe.

There are two primary ways this bug can be triggered.

First, this can happen when there is a cache collision (i.e., two methods use the same cache key to store values of different types).

Second, CacheResultAdvice caches null values by comparing a cached value with a static field on CacheResultAdvice (NullValue). If the ICache implementation uses serialization (for example a SQL cache, or memcached, etc.), it will return a different instance of System.Object. This will cause CacheResultAdvice to return that instance of System.Object instead of detecting that a null value was stored in the cache.

The supplied patch against trunk@r1064 includes unit tests to illustrate both problems and provides a fix.

Comment by Steve Bohlen [ 21/Sep/10 ]

Patch applied. Good find of the error and nice fix for the issue.

Generated at Mon May 20 15:11:58 UTC 2019 using JIRA 7.9.2#79002-sha1:3bb15b68ecd99a30eb364c4c1a393359bcad6278.