iproto: fix use-after-free in net_end_join

`msg` is used after it is freed in iproto_msg_delete. Close #9037 NO_TEST=tested by ASAN NO_DOC=bugfix
tarantool · Aug 28, 2023 · 4916389 · 4916389
1 parent 22e1532
commit 4916389
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/changelogs/unreleased/gh-9037-fix-heap-use-after-free.md b/changelogs/unreleased/gh-9037-fix-heap-use-after-free.md
@@ -0,0 +1,3 @@
+## bugfix/core
+
+* Fixed a use-after-free bug in iproto server code (gh-9037).
diff --git a/src/box/iproto.cc b/src/box/iproto.cc
@@ -2669,16 +2669,17 @@ net_end_join(struct cmsg *m)
 {
 	struct iproto_msg *msg = (struct iproto_msg *) m;
 	struct iproto_connection *con = msg->connection;
+	struct ibuf *ibuf = msg->p_ibuf;
 
-	msg->p_ibuf->rpos += msg->len;
+	ibuf->rpos += msg->len;
 	iproto_msg_delete(msg);
 
 	assert(! ev_is_active(&con->input));
 	/*
 	 * Enqueue any messages if they are in the readahead
 	 * queue. Will simply start input otherwise.
 	 */
-	if (iproto_enqueue_batch(con, msg->p_ibuf) != 0)
+	if (iproto_enqueue_batch(con, ibuf) != 0)
 		iproto_connection_close(con);
 }