Double free prevented.

routeQuery calls route_single_stmt, which requires the GWBUF to be contiguous. Earlier it was made contiguous (if needed) in route_single_stmt. However, since the process of making a GWBUF contiguous causes the original buffer to be freed, this would lead to a double free later in routeQuery that frees the passed buffer. This is prevented now by making the buffer contiguous before calling route_single_stmt.
2015-09-29 10:37:56 +03:00
parent 6f3ec723b1
commit db0e2e881f
1 changed files with 7 additions and 6 deletions
--- a/server/modules/routing/readwritesplit/readwritesplit.c
+++ b/server/modules/routing/readwritesplit/readwritesplit.c
@ -2022,6 +2022,9 @@ static int routeQuery(
 			}
 			else
 			{
+				/** route_single_stmt expects the buffer to be contiguous. */
+				querybuf = gwbuf_make_contiguous(querybuf);
+
 				succp = route_single_stmt(inst, router_cli_ses, querybuf);
 			}
 		}
@ -2053,6 +2056,9 @@ static int routeQuery(
 	}
 	else
 	{
+		/** route_single_stmt expects the buffer to be contiguous. */
+		querybuf = gwbuf_make_contiguous(querybuf);
+
 		succp = route_single_stmt(inst, router_cli_ses, querybuf);
 	}
 	
@ -2108,6 +2114,7 @@ static bool route_single_stmt(
 	int                rlag_max       = MAX_RLAG_UNDEFINED;
 	backend_type_t     btype; /*< target backend type */

+	ss_dassert(querybuf->next == NULL); // The buffer must be contiguous.
 	ss_dassert(!GWBUF_IS_TYPE_UNDEFINED(querybuf));

 	/** 
@ -2130,12 +2137,6 @@ static bool route_single_stmt(
 		succp = false;
 		goto retblock;
 	}
-	
-	/** If buffer is not contiguous, make it such */
-	if (querybuf->next != NULL)
-	{
-		querybuf = gwbuf_make_contiguous(querybuf);
-	}

 	packet = GWBUF_DATA(querybuf);
 	packet_len = gw_mysql_get_byte3(packet);