From efa94c5735a445eaacf087f35e585180800c19a1 Mon Sep 17 00:00:00 2001 From: Haavard Kvaalen Date: Thu, 4 Mar 2021 15:34:05 +0100 Subject: [PATCH] Fix use after free in mysqlxx::Pool::tryGet() tryGet() created an Entry object that referenced a Connection, but then deleted the Connection just before the Entry went out of scope. --- base/mysqlxx/Pool.cpp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/base/mysqlxx/Pool.cpp b/base/mysqlxx/Pool.cpp index cf8b3cf9267..386b4544b78 100644 --- a/base/mysqlxx/Pool.cpp +++ b/base/mysqlxx/Pool.cpp @@ -174,9 +174,11 @@ Pool::Entry Pool::tryGet() /// Fixme: There is a race condition here b/c we do not synchronize with Pool::Entry's copy-assignment operator if (connection_ptr->ref_count == 0) { - Entry res(connection_ptr, this); - if (res.tryForceConnected()) /// Tries to reestablish connection as well - return res; + { + Entry res(connection_ptr, this); + if (res.tryForceConnected()) /// Tries to reestablish connection as well + return res; + } logger.debug("(%s): Idle connection to MySQL server cannot be recovered, dropping it.", getDescription());