Skip to content
Snippets Groups Projects
Commit 1efe2864 authored by Serge Petrenko's avatar Serge Petrenko
Browse files

applier: fix use after free 

Applier thread uses lsregion to allocate the messages for tx thread. The
messages are freed upon return to the applier thread using a
corresponding lsr_id.

Due to a typo, one of the lsregion allocations was made with a postfix
increment of lsr_id instead of the prefix one. Essentially, part of a
new message was allocated with an old lsr_id, and might be freed early
by a return of a previous message.

Fix this.

Closes #8848

NO_DOC=bugfix
NO_TEST=covered by asan in #8901
NO_CHANGELOG=bugfix

(cherry picked from commit 0d5bd6b7)
parent 4b6370b9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
src/box/applier.cc
+ 1
1
View file @ 1efe2864
......@@ -1665,7 +1665,7 @@ applier_thread_reader_f(va_list ap)
TIMEOUT_INFINITY :
replication_disconnect_timeout();
struct applier_tx *tx;
tx = lsregion_alloc_object(lsr, applier->thread.lsr_id++,
tx = lsregion_alloc_object(lsr, ++applier->thread.lsr_id,
struct applier_tx);
if (tx == NULL) {
diag_set(OutOfMemory, sizeof(*tx),
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment