From 90d763f976e13a5a1d2abbaa0383f0e81945142c Mon Sep 17 00:00:00 2001
From: Nikolay Shirokovskiy <nshirokovskiy@tarantool.org>
Date: Tue, 20 Jun 2023 10:47:33 +0300
Subject: [PATCH] iproto: fix use-after-free in net_end_join

`msg` is used after it is freed in iproto_msg_delete.

Close #9037

NO_TEST=tested by ASAN
NO_DOC=bugfix

(cherry picked from commit 4916389a3c1e86e6e6756a4b785799b2acca57ed)
---
 changelogs/unreleased/gh-9037-fix-heap-use-after-free.md | 3 +++
 src/box/iproto.cc                                        | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/unreleased/gh-9037-fix-heap-use-after-free.md

diff --git a/changelogs/unreleased/gh-9037-fix-heap-use-after-free.md b/changelogs/unreleased/gh-9037-fix-heap-use-after-free.md
new file mode 100644
index 0000000000..6ee5e86558
--- /dev/null
+++ b/changelogs/unreleased/gh-9037-fix-heap-use-after-free.md
@@ -0,0 +1,3 @@
+## bugfix/core
+
+* Fixed a use-after-free bug in iproto server code (gh-9037).
diff --git a/src/box/iproto.cc b/src/box/iproto.cc
index 503a23238e..e0bb652058 100644
--- a/src/box/iproto.cc
+++ b/src/box/iproto.cc
@@ -2735,8 +2735,9 @@ net_end_join(struct cmsg *m)
 {
 	struct iproto_msg *msg = (struct iproto_msg *) m;
 	struct iproto_connection *con = msg->connection;
+	struct ibuf *ibuf = msg->p_ibuf;
 
-	msg->p_ibuf->rpos += msg->len;
+	ibuf->rpos += msg->len;
 	iproto_msg_delete(msg);
 
 	assert(! ev_is_active(&con->input));
@@ -2744,7 +2745,7 @@ net_end_join(struct cmsg *m)
 	 * Enqueue any messages if they are in the readahead
 	 * queue. Will simply start input otherwise.
 	 */
-	if (iproto_enqueue_batch(con, msg->p_ibuf) != 0)
+	if (iproto_enqueue_batch(con, ibuf) != 0)
 		iproto_connection_close(con);
 }
 
-- 
GitLab