Fix: accessed released memory in mysql_client.c where dcb->data was released in gw_mysql_do_authentication and accessed afterwards.

server/modules/protocol/mysql_client.c

@@ -437,8 +437,6 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
 	/* Detect now if there are enough bytes to continue */
 	if (client_auth_packet_size < (4 + 4 + 4 + 1 + 23)) 
 	{
-		free(dcb->data);
-		dcb->data = NULL;
 		return 1;
 	}
 
@@ -457,8 +455,6 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
 	
 	if (username == NULL)
 	{
-		free(dcb->data);
-		dcb->data = NULL;
 		return 1;
 	}
 
@@ -529,8 +525,7 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
 	}
 	else
 	{
-		free(dcb->data);
-		dcb->data = NULL;
+		return 1;
 	}
 
 	/* let's free the auth_token now */
@@ -723,6 +718,11 @@ int gw_read_client_event(
 				"state = MYSQL_AUTH_FAILED.",
 				protocol->owner_dcb->fd,
 				pthread_self())));
+			/**
+			 * Release MYSQL_session since it is not used anymore.
+			 */
+			free(dcb->data);
+			dcb->data = NULL;
 			
 			dcb_close(dcb);
 		}

server/modules/routing/readwritesplit/readwritesplit.c

@@ -2359,6 +2359,9 @@ static bool route_single_stmt(
 		 * 
 		 * !!! Note that according to MySQL protocol
 		 * there can only be one such non-sescmd stmt at the time.
+		 * It is possible that bref->bref_pending_cmd includes a pending
+		 * command if rwsplit is parent or child for another router, 
+		 * which runs all the same commands.
 		 * 
 		 * If the assertion below traps, pending queries are treated 
 		 * somehow wrong, or client is sending more queries before 
@@ -2722,7 +2725,8 @@ static void clientReply (
 		
 		CHK_GWBUF(bref->bref_pending_cmd);
 		
-		if ((ret = bref->bref_dcb->func.write(bref->bref_dcb, 
+		if ((ret = bref->bref_dcb->func.write(
+				bref->bref_dcb, 
 				gwbuf_clone(bref->bref_pending_cmd))) == 1)
 		{
 			ROUTER_INSTANCE* inst = (ROUTER_INSTANCE *)instance;