racf_logout leaves stale ACEE pointer in ASXBSENV #27
Description
Problem
racf_logout() in raclgout.c can leave a dangling pointer in ASXBSENV (ASXB+0xC8), causing S0C4 abends in subsequent code that calls racf_get_acee().
Root Cause
RACINIT ENVIR=CREATE (called by racf_login()) always anchors the new ACEE in ASXBSENV, regardless of whether the ACEE= parameter is specified.
When racf_logout() later deletes that ACEE, the restore logic on line 65 compares oldacee (saved before RACINIT DELETE) with *acee (after RACINIT DELETE). RACINIT DELETE zeroes *acee, so the comparison always evaluates to oldacee != 0, which triggers the "restore" branch — writing the now-freed ACEE pointer back into ASXBSENV.
ACEE *oldacee = *asxbsenv; // = 0x009B1DB0 (same as *acee, set by RACINIT CREATE)
*asxbsenv = *acee; // = 0x009B1DB0
/* RACINIT DELETE frees ACEE, zeroes *acee */
if (oldacee != *acee) { // 0x009B1DB0 != 0x00000000 → TRUE
*asxbsenv = oldacee; // writes freed pointer back! ← BUG
} else {
*asxbsenv = (ACEE*)0; // never reached
}Symptoms
Observed as S0C4 in UFSD SSI router (ufsdssir) when a second Zowe Explorer file retrieval triggers UFSREQ_SESS_OPEN. The SSI router calls racf_get_acee() which returns the stale ASXBSENV pointer; accessing acee->aceeuser at offset 0x14 faults on freed storage.
ABEND S0C4 detected for module CTHREAD epname ufsdssir offset 000001D4
R15:009B1DB0 (freed ACEE, memory inaccessible)
Fix
Save *acee before RACINIT DELETE and use that for the comparison:
ACEE *delacee = *acee; // save before RACINIT zeroes it
/* ... RACINIT DELETE ... */
if (oldacee == delacee) {
*asxbsenv = (ACEE*)0; // we deleted what was in ASXBSENV → clear
} else {
*asxbsenv = oldacee; // different ACEE was in ASXBSENV → restore
}