Michał Chojnowski 3df5de60a9 cache_flat_mutation_reader: only call get_iterator_in_latest() when pointing at a row ...

Calling `_next_row.get_iterator_in_latest()` is illegal when `_next_row` is not
pointing at a row. In particular, the iterator returned by such call might be
dangling.

We have observed this to cause a use-after-free in the field, when a reverse
read called `maybe_add_to_cache` after `_latest_it` was left dangling after
a dead row removal in `copy_from_cache_to_buffer`.

To fix this, we should ensure that we only call `_next_row.get_iterator_in_latest`
is pointing at a row.

Only the occurrences of this problem in `maybe_add_to_cache` are truly dangerous.
As far as I can see, other occurrences can't break anything as of now.
But we apply fixes to them anyway.

(cherry picked from commit 04db6d4bb1)

Closes scylladb/scylladb#18075

2024-03-28 11:04:28 +01:00

52 KiB

Raw Permalink Blame History

View Raw