diff options
author | sueloverso <sue@mongodb.com> | 2017-06-15 10:51:19 -0400 |
---|---|---|
committer | Alex Gorrod <alexander.gorrod@mongodb.com> | 2017-06-15 10:51:19 -0400 |
commit | 15bf184909f8fc69c93404e93f20ad5dcbe3c2c2 (patch) | |
tree | 0c47115a40b7009457c54a2b3a5dfcd286d1f199 | |
parent | 625cbb33b9c39e6bb1fa00f21f3beb5573d645d6 (diff) | |
download | mongo-15bf184909f8fc69c93404e93f20ad5dcbe3c2c2.tar.gz |
WT-3370 Reset metafile after it could be re-allocated. (#3465)
This fixes a potential memory access after free in transaction recovery.
-rw-r--r-- | src/txn/txn_recover.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/txn/txn_recover.c b/src/txn/txn_recover.c index 590e17b6a2a..58f4f0750d7 100644 --- a/src/txn/txn_recover.c +++ b/src/txn/txn_recover.c @@ -458,6 +458,11 @@ __wt_txn_recover(WT_SESSION_IMPL *session) * larger than any checkpoint LSN we have from the earlier time. */ WT_ERR(__recovery_file_scan(&r)); + /* + * The array can be re-allocated in recovery_file_scan. Reset + * our pointer after scanning all the files. + */ + metafile = &r.files[WT_METAFILE_ID]; conn->next_file_id = r.max_fileid; if (FLD_ISSET(conn->log_flags, WT_CONN_LOG_ENABLED) && @@ -509,6 +514,11 @@ __wt_txn_recover(WT_SESSION_IMPL *session) /* Scan the metadata to find the live files and their IDs. */ WT_ERR(__recovery_file_scan(&r)); + /* + * Clear this out. We no longer need it and it could have been + * re-allocated when scanning the files. + */ + metafile = NULL; /* * We no longer need the metadata cursor: close it to avoid pinning any |