Tarantool development patches archive
 help / color / mirror / Atom feed
* [Tarantool-patches] [PATCH] relay: fix use after free in subscribe_f
@ 2021-05-12 11:39 Serge Petrenko via Tarantool-patches
  2021-05-12 11:48 ` Cyrill Gorcunov via Tarantool-patches
                   ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Serge Petrenko via Tarantool-patches @ 2021-05-12 11:39 UTC (permalink / raw)
  To: v.shpilevoy, gorcunov; +Cc: tarantool-patches

relay_subscribe_f() remembered old recovery pointer, which might be
replaced by relay_restart_recovery() if a raft message is delivered during
cbus_process() loop in relay_send_is_raft_enabled().

Fix the issue by moving variable initialization below
relay_send_is_raft_enabled()

Closes #6031
---
https://github.com/tarantool/tarantool/issues/6031
https://github.com/tarantool/tarantool/tree/sp/gh-6031-use-after-free

 src/box/relay.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/box/relay.cc b/src/box/relay.cc
index ff43c2fc7..32d3a58dd 100644
--- a/src/box/relay.cc
+++ b/src/box/relay.cc
@@ -741,7 +741,6 @@ static int
 relay_subscribe_f(va_list ap)
 {
 	struct relay *relay = va_arg(ap, struct relay *);
-	struct recovery *r = relay->r;
 
 	coio_enable();
 	relay_set_cord_name(relay->io.fd);
@@ -756,6 +755,8 @@ relay_subscribe_f(va_list ap)
 	if (!relay->replica->anon)
 		relay_send_is_raft_enabled(relay, &raft_enabler, true);
 
+	struct recovery *r = relay->r;
+
 	/*
 	 * Setup garbage collection trigger.
 	 * Not needed for anonymous replicas, since they
-- 
2.30.1 (Apple Git-130)


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2021-05-14  7:44 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-12 11:39 [Tarantool-patches] [PATCH] relay: fix use after free in subscribe_f Serge Petrenko via Tarantool-patches
2021-05-12 11:48 ` Cyrill Gorcunov via Tarantool-patches
2021-05-13 10:36   ` Serge Petrenko via Tarantool-patches
2021-05-12 20:25 ` Vladislav Shpilevoy via Tarantool-patches
2021-05-13 10:34   ` Serge Petrenko via Tarantool-patches
2021-05-13 11:23     ` Vladislav Shpilevoy via Tarantool-patches
2021-05-13 11:44     ` Cyrill Gorcunov via Tarantool-patches
2021-05-14  7:44 ` Kirill Yukhin via Tarantool-patches

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox