From c08b94edccc17ea614a9bc0ce0ba0e707d69913d Mon Sep 17 00:00:00 2001
From: Maria <maria.khaydich@tarantool.org>
Date: Fri, 29 Nov 2019 01:40:07 +0300
Subject: [PATCH] Fix use-after-free in memtx_tuple_delete()

Struct of type tuple_format is being passed as an argument to
tuple_format_unref() where it might be freed. On such occasion any
further references to format fields should not take place.

Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>

Closes #4658
---
 src/box/memtx_engine.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/box/memtx_engine.c b/src/box/memtx_engine.c
index 23ccc4703f..4da80824af 100644
--- a/src/box/memtx_engine.c
+++ b/src/box/memtx_engine.c
@@ -1177,7 +1177,6 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
 	struct memtx_engine *memtx = (struct memtx_engine *)format->engine;
 	say_debug("%s(%p)", __func__, tuple);
 	assert(tuple->refs == 0);
-	tuple_format_unref(format);
 	struct memtx_tuple *memtx_tuple =
 		container_of(tuple, struct memtx_tuple, base);
 	size_t total = tuple_size(tuple) + offsetof(struct memtx_tuple, base);
@@ -1187,6 +1186,7 @@ memtx_tuple_delete(struct tuple_format *format, struct tuple *tuple)
 		smfree(&memtx->alloc, memtx_tuple, total);
 	else
 		smfree_delayed(&memtx->alloc, memtx_tuple, total);
+	tuple_format_unref(format);
 }
 
 void
-- 
GitLab