access: fix use-after-free of struct credentials

Func_delete() called credentials_destroy() after func->vtab->destroy(). But appeared, that vtab->destroy() is actually delete, and it frees the func object. Now the func's owner credentials are destroyed before the function is freed. Closes #4597 Follow up #2763 (cherry picked from commit 330ea24)
tarantool · Oct 31, 2019 · 430cb62 · 430cb62
1 parent 091ab9d
commit 430cb62
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/src/box/func.c b/src/box/func.c
@@ -492,6 +492,7 @@ func_c_destroy(struct func *base)
 	assert(base != NULL && base->def->language == FUNC_LANGUAGE_C);
 	struct func_c *func = (struct func_c *) base;
 	func_c_unload(func);
+	TRASH(base);
 	free(func);
 }
 
@@ -577,8 +578,8 @@ void
 func_delete(struct func *func)
 {
 	struct func_def *def = func->def;
-	func->vtab->destroy(func);
 	credentials_destroy(&func->owner_credentials);
+	func->vtab->destroy(func);
 	free(def);
 }
 

diff --git a/src/box/lua/call.c b/src/box/lua/call.c
@@ -731,6 +731,7 @@ func_lua_destroy(struct func *func)
 {
 	assert(func != NULL && func->def->language == FUNC_LANGUAGE_LUA);
 	assert(func->vtab == &func_lua_vtab);
+	TRASH(func);
 	free(func);
 }