From 0c4293d75659d4ee7de987d4f44ef97508cafc96 Mon Sep 17 00:00:00 2001
From: Serge Petrenko <sergepetrenko@tarantool.org>
Date: Wed, 26 Jul 2023 12:56:23 +0300
Subject: [PATCH] applier: fix use after free

Applier thread uses lsregion to allocate the messages for tx thread. The
messages are freed upon return to the applier thread using a
corresponding lsr_id.

Due to a typo, one of the lsregion allocations was made with a postfix
increment of lsr_id instead of the prefix one. Essentially, part of a
new message was allocated with an old lsr_id, and might be freed early
by a return of a previous message.

Fix this.

Closes #8848

NO_DOC=bugfix
NO_TEST=covered by asan in #8901
NO_CHANGELOG=bugfix

(cherry picked from commit 0d5bd6b7b7d4134080edb466cfd8244fffe1fd4c)
---
 src/box/applier.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/box/applier.cc b/src/box/applier.cc
index d5addd549f..775dce22a5 100644
--- a/src/box/applier.cc
+++ b/src/box/applier.cc
@@ -2021,7 +2021,7 @@ applier_thread_reader_f(va_list ap)
 				 TIMEOUT_INFINITY :
 				 replication_disconnect_timeout();
 		struct applier_tx *tx;
-		tx = lsregion_alloc_object(lsr, applier->thread.lsr_id++,
+		tx = lsregion_alloc_object(lsr, ++applier->thread.lsr_id,
 					   struct applier_tx);
 		if (tx == NULL) {
 			diag_set(OutOfMemory, sizeof(*tx),
-- 
GitLab