Skip to content

Commit af80d63

Browse files
edsipercosmo0920
edsiper
authored and
cosmo0920
committed
in_storage_backlog: fix use-after-free when segregating chunk
Signed-off-by: Eduardo Silva <[email protected]>
1 parent d08f805 commit af80d63

File tree

1 file changed

+17
-17
lines changed
  • plugins/in_storage_backlog

1 file changed

+17
-17
lines changed

plugins/in_storage_backlog/sb.c

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -518,6 +518,7 @@ static int cb_queue_chunks(struct flb_input_instance *in,
518518
ssize_t size;
519519
int ret;
520520
int event_type;
521+
struct cio_chunk *underlying_chunk;
521522

522523
/* Get context */
523524
ctx = (struct flb_sb *) data;
@@ -560,11 +561,14 @@ static int cb_queue_chunks(struct flb_input_instance *in,
560561
flb_plg_error(ctx->ins, "removing corrupted chunk from the "
561562
"queue %s:%s",
562563
chunk_instance->stream->name, chunk_instance->chunk->name);
563-
cio_chunk_close(chunk_instance->chunk, FLB_FALSE);
564-
sb_remove_chunk_from_segregated_backlogs(chunk_instance->chunk, ctx);
565-
/* This function will indirecly release chunk_instance so it has to be
566-
* called last.
564+
underlying_chunk = chunk_instance->chunk;
565+
566+
/*
567+
* sb_remove_chunk_from_segregated_backlogs() releases chunk_instance,
568+
* so grab the pointer first and close the chunk afterwards.
567569
*/
570+
sb_remove_chunk_from_segregated_backlogs(underlying_chunk, ctx);
571+
cio_chunk_close(underlying_chunk, FLB_FALSE);
568572
continue;
569573
}
570574
else if (ret == CIO_ERROR || ret == CIO_RETRY) {
@@ -586,9 +590,9 @@ static int cb_queue_chunks(struct flb_input_instance *in,
586590
"from the queue %s:%s",
587591
chunk_instance->stream->name,
588592
chunk_instance->chunk->name);
589-
cio_chunk_close(chunk_instance->chunk, FLB_TRUE);
590-
sb_remove_chunk_from_segregated_backlogs(chunk_instance->chunk,
591-
ctx);
593+
underlying_chunk = chunk_instance->chunk;
594+
sb_remove_chunk_from_segregated_backlogs(underlying_chunk, ctx);
595+
cio_chunk_close(underlying_chunk, FLB_TRUE);
592596
continue;
593597
}
594598
event_type = ret;
@@ -599,11 +603,9 @@ static int cb_queue_chunks(struct flb_input_instance *in,
599603
flb_plg_error(ctx->ins, "removing empty chunk from the "
600604
"queue %s:%s",
601605
chunk_instance->stream->name, chunk_instance->chunk->name);
602-
cio_chunk_close(chunk_instance->chunk, FLB_TRUE);
603-
sb_remove_chunk_from_segregated_backlogs(chunk_instance->chunk, ctx);
604-
/* This function will indirecly release chunk_instance so it has to be
605-
* called last.
606-
*/
606+
underlying_chunk = chunk_instance->chunk;
607+
sb_remove_chunk_from_segregated_backlogs(underlying_chunk, ctx);
608+
cio_chunk_close(underlying_chunk, FLB_TRUE);
607609
continue;
608610
}
609611

@@ -620,11 +622,9 @@ static int cb_queue_chunks(struct flb_input_instance *in,
620622
* If the file cannot be mapped, just drop it. Failures are all
621623
* associated with data corruption.
622624
*/
623-
cio_chunk_close(chunk_instance->chunk, FLB_TRUE);
624-
sb_remove_chunk_from_segregated_backlogs(chunk_instance->chunk, ctx);
625-
/* This function will indirecly release chunk_instance so it has to be
626-
* called last.
627-
*/
625+
underlying_chunk = chunk_instance->chunk;
626+
sb_remove_chunk_from_segregated_backlogs(underlying_chunk, ctx);
627+
cio_chunk_close(underlying_chunk, FLB_TRUE);
628628
continue;
629629
}
630630

0 commit comments

Comments
 (0)