[Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials
Vladislav Shpilevoy
v.shpilevoy at tarantool.org
Thu Oct 31 02:57:49 MSK 2019
Func_delete() called credentials_destroy() after
func->vtab->destroy(). But appeared, that vtab->destroy() is
actually delete, and it frees the func object. Now the func's
owner credentials are destroyed before the function is freed.
Closes #4597
Follow up #2763
---
Branch: https://github.com/tarantool/tarantool/tree/gerold103/gh-4597-credentials-follow-up
Issue: https://github.com/tarantool/tarantool/issues/4597
src/box/func.c | 3 ++-
src/box/lua/call.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/box/func.c b/src/box/func.c
index c94ca4974..7ac92bc84 100644
--- a/src/box/func.c
+++ b/src/box/func.c
@@ -463,6 +463,7 @@ func_c_destroy(struct func *base)
assert(base != NULL && base->def->language == FUNC_LANGUAGE_C);
struct func_c *func = (struct func_c *) base;
func_c_unload(func);
+ TRASH(base);
free(func);
}
@@ -548,8 +549,8 @@ void
func_delete(struct func *func)
{
struct func_def *def = func->def;
- func->vtab->destroy(func);
credentials_destroy(&func->owner_credentials);
+ func->vtab->destroy(func);
free(def);
}
diff --git a/src/box/lua/call.c b/src/box/lua/call.c
index 00322f6c8..f1bbde7f0 100644
--- a/src/box/lua/call.c
+++ b/src/box/lua/call.c
@@ -734,6 +734,7 @@ func_lua_destroy(struct func *func)
{
assert(func != NULL && func->def->language == FUNC_LANGUAGE_LUA);
assert(func->vtab == &func_lua_vtab);
+ TRASH(func);
free(func);
}
--
2.21.0 (Apple Git-122)
More information about the Tarantool-patches
mailing list