From: Vladislav Shpilevoy <v.shpilevoy@tarantool.org> To: tarantool-patches@dev.tarantool.org Subject: [Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials Date: Thu, 31 Oct 2019 00:57:49 +0100 [thread overview] Message-ID: <8c4b56ae46535fd048cae9b0081ccd47eaf8ab4f.1572479749.git.v.shpilevoy@tarantool.org> (raw) Func_delete() called credentials_destroy() after func->vtab->destroy(). But appeared, that vtab->destroy() is actually delete, and it frees the func object. Now the func's owner credentials are destroyed before the function is freed. Closes #4597 Follow up #2763 --- Branch: https://github.com/tarantool/tarantool/tree/gerold103/gh-4597-credentials-follow-up Issue: https://github.com/tarantool/tarantool/issues/4597 src/box/func.c | 3 ++- src/box/lua/call.c | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/box/func.c b/src/box/func.c index c94ca4974..7ac92bc84 100644 --- a/src/box/func.c +++ b/src/box/func.c @@ -463,6 +463,7 @@ func_c_destroy(struct func *base) assert(base != NULL && base->def->language == FUNC_LANGUAGE_C); struct func_c *func = (struct func_c *) base; func_c_unload(func); + TRASH(base); free(func); } @@ -548,8 +549,8 @@ void func_delete(struct func *func) { struct func_def *def = func->def; - func->vtab->destroy(func); credentials_destroy(&func->owner_credentials); + func->vtab->destroy(func); free(def); } diff --git a/src/box/lua/call.c b/src/box/lua/call.c index 00322f6c8..f1bbde7f0 100644 --- a/src/box/lua/call.c +++ b/src/box/lua/call.c @@ -734,6 +734,7 @@ func_lua_destroy(struct func *func) { assert(func != NULL && func->def->language == FUNC_LANGUAGE_LUA); assert(func->vtab == &func_lua_vtab); + TRASH(func); free(func); } -- 2.21.0 (Apple Git-122)
next reply other threads:[~2019-10-30 23:52 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-10-30 23:57 Vladislav Shpilevoy [this message] 2019-10-31 7:35 ` Kirill Yukhin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=8c4b56ae46535fd048cae9b0081ccd47eaf8ab4f.1572479749.git.v.shpilevoy@tarantool.org \ --to=v.shpilevoy@tarantool.org \ --cc=tarantool-patches@dev.tarantool.org \ --subject='Re: [Tarantool-patches] [PATCH 1/1] access: fix use-after-free of struct credentials' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox