Fix use-after-free in memtx_tuple_delete()

Struct of type tuple_format is being passed as an argument to tuple_format_unref() where it might be freed. On such occasion any further references to format fields should not take place. Acked-by: Cyrill Gorcunov <gorcunov@gmail.com> Closes #4658 (cherry picked from commit c08b94ed)

Fix use-after-free in memtx_tuple_delete()
b89c62bd · Maria · Nikita Pettik · 7a996f22 · b89c62bd
Commit b89c62bd authored 5 years ago by Maria Committed by Nikita Pettik 5 years ago
--- a/src/box/memtx_engine.c
+++ b/src/box/memtx_engine.c
@@ -1105,7 +1105,6 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
 	struct memtx_engine *memtx = (struct memtx_engine *)format->engine;
 	say_debug("%s(%p)", __func__, tuple);
 	assert(tuple->refs == 0);
-	tuple_format_unref(format);
 	struct memtx_tuple *memtx_tuple =
 		container_of(tuple, struct memtx_tuple, base);
 	size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base);
@@ -1115,6 +1114,7 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
 		smfree(&memtx->alloc, memtx_tuple, total);
 	else
 		smfree_delayed(&memtx->alloc, memtx_tuple, total);
+	tuple_format_unref(format);
 }

 void