From bd43c259dfcc4162ae30a87f5ef0d5b370da89c6 Mon Sep 17 00:00:00 2001
From: Andrew Hutchings <andrew@linuxjedi.co.uk>
Date: Fri, 11 Aug 2017 10:06:13 +0100
Subject: [PATCH] MCOL-835 Fix use-after-free crash in ExeMgr

It is possible that DistributedEngineComm can get the Stats object from
an MQE object and the MQE object freed before it's stats object is
passed to InetStreamSocket.

This patch makes sure that DistributedEngineComm gets a reference to MQE
instead of the pointer to the Stats object in another reference.
Therefore making sure that the Stats object still exists in
InetStreamSocket.
---
 dbcon/joblist/distributedenginecomm.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/dbcon/joblist/distributedenginecomm.cpp b/dbcon/joblist/distributedenginecomm.cpp
index 19efe7e5c..40dddbc29 100644
--- a/dbcon/joblist/distributedenginecomm.cpp
+++ b/dbcon/joblist/distributedenginecomm.cpp
@@ -765,12 +765,15 @@ void DistributedEngineComm::write(messageqcpp::ByteStream &msg, uint32_t connect
 
 	mutex::scoped_lock lk(fMlock, defer_lock_t());
 	MessageQueueMap::iterator it;
+    // This keeps mqe's stats from being freed until end of function
+    boost::shared_ptr<MQE> mqe;
 	Stats *senderStats = NULL;
 
 	lk.lock();
 	it = fSessionMessages.find(senderID);
 	if (it != fSessionMessages.end())
-		senderStats = &(it->second->stats);
+        mqe = it->second;
+		senderStats = &(mqe->stats);
 	lk.unlock();
 
 	newClients[connection]->write(msg, NULL, senderStats);
@@ -829,6 +832,8 @@ int DistributedEngineComm::writeToClient(size_t index, const ByteStream& bs, uin
 {
 	mutex::scoped_lock lk(fMlock, defer_lock_t());
 	MessageQueueMap::iterator it;
+    // Keep mqe's stats from being freed early
+    boost::shared_ptr<MQE> mqe;
 	Stats *senderStats = NULL;
 	uint32_t interleaver = 0;
 
@@ -839,7 +844,8 @@ int DistributedEngineComm::writeToClient(size_t index, const ByteStream& bs, uin
 		lk.lock();
 		it = fSessionMessages.find(sender);
 		if (it != fSessionMessages.end()) {
-			senderStats = &(it->second->stats);
+            mqe = it->second;
+			senderStats = &(mqe->stats);
 			if (doInterleaving)
 				interleaver = it->second->interleaver[index % it->second->pmCount]++;
 		}