[Tarantool-patches] [PATCH] relay: fix use after free in subscribe_f

Vladislav Shpilevoy v.shpilevoy at tarantool.org
Wed May 12 23:25:59 MSK 2021


Hi! Thanks for the patch!

> diff --git a/src/box/relay.cc b/src/box/relay.cc
> index ff43c2fc7..32d3a58dd 100644
> --- a/src/box/relay.cc
> +++ b/src/box/relay.cc
> @@ -756,6 +755,8 @@ relay_subscribe_f(va_list ap)
>  	if (!relay->replica->anon)
>  		relay_send_is_raft_enabled(relay, &raft_enabler, true);
>  
> +	struct recovery *r = relay->r;
> +

There is another cbus_process() on line 808. Won't it lead to the same issue
if recovery would be restarted? I see it is for version < 1.7.4 so probably
not. Another option would be to simply inline relay->r in its usage places
and not remember it into a variable.

Anyway LGTM. Up to you if want to inline.


More information about the Tarantool-patches mailing list