WT-3370 Reset metafile after it could be re-allocated. (#3465)

This fixes a potential memory access after free in transaction recovery.
author: sueloverso <sue@mongodb.com> 2017-06-15 10:51:19 -0400
committer: Alex Gorrod <alexander.gorrod@mongodb.com> 2017-06-15 10:51:19 -0400
commit: 15bf184909f8fc69c93404e93f20ad5dcbe3c2c2 (patch)
tree: 0c47115a40b7009457c54a2b3a5dfcd286d1f199
parent: 625cbb33b9c39e6bb1fa00f21f3beb5573d645d6 (diff)
download: mongo-15bf184909f8fc69c93404e93f20ad5dcbe3c2c2.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/src/txn/txn_recover.c b/src/txn/txn_recover.c
index 590e17b6a2a..58f4f0750d7 100644
--- a/src/txn/txn_recover.c
+++ b/src/txn/txn_recover.c
@@ -458,6 +458,11 @@ __wt_txn_recover(WT_SESSION_IMPL *session)
 		 * larger than any checkpoint LSN we have from the earlier time.
 		 */
 		WT_ERR(__recovery_file_scan(&r));
+		/*
+		 * The array can be re-allocated in recovery_file_scan.  Reset
+		 * our pointer after scanning all the files.
+		 */
+		metafile = &r.files[WT_METAFILE_ID];
 		conn->next_file_id = r.max_fileid;
 
 		if (FLD_ISSET(conn->log_flags, WT_CONN_LOG_ENABLED) &&
@@ -509,6 +514,11 @@ __wt_txn_recover(WT_SESSION_IMPL *session)
 
 	/* Scan the metadata to find the live files and their IDs. */
 	WT_ERR(__recovery_file_scan(&r));
+	/*
+	 * Clear this out.  We no longer need it and it could have been
+	 * re-allocated when scanning the files.
+	 */
+	metafile = NULL;
 
 	/*
 	 * We no longer need the metadata cursor: close it to avoid pinning any
author	sueloverso <sue@mongodb.com>	2017-06-15 10:51:19 -0400
committer	Alex Gorrod <alexander.gorrod@mongodb.com>	2017-06-15 10:51:19 -0400
commit	15bf184909f8fc69c93404e93f20ad5dcbe3c2c2 (patch)
tree	0c47115a40b7009457c54a2b3a5dfcd286d1f199
parent	625cbb33b9c39e6bb1fa00f21f3beb5573d645d6 (diff)
download	mongo-15bf184909f8fc69c93404e93f20ad5dcbe3c2c2.tar.gz