From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Thu, 9 Oct 2025 10:36:02 +0000 (+0100)
Subject: [Fix] Fix double-release of fuzzy_tcp_session on invalid commands
X-Git-Tag: 3.14.0~84^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F5669%2Fhead;p=thirdparty%2Frspamd.git

[Fix] Fix double-release of fuzzy_tcp_session on invalid commands

When a TCP command fails to parse in rspamd_fuzzy_tcp_io, the
fuzzy_tcp_session was released prematurely while cmd_session still
held a reference to it. This caused a double-release when cmd_session
was destroyed, potentially leading to memory corruption.
---

diff --git a/src/fuzzy_storage.c b/src/fuzzy_storage.c
index fcd8987dde..efd28dd47c 100644
--- a/src/fuzzy_storage.c
+++ b/src/fuzzy_storage.c
@@ -2740,7 +2740,7 @@ rspamd_fuzzy_tcp_io(EV_P_ ev_io *w, int revents)
 					msg_debug_fuzzy_storage("invalid TCP fuzzy command of size %d received from %s",
 											(int) frame_len,
 											rspamd_inet_address_to_string(session->common.addr));
-					REF_RELEASE(session); /* Release TCP session reference */
+					/* Note: Don't release session here - cmd_session holds a reference and will release it */
 				}
 
 				/* Release our reference - session will be freed when all callbacks complete */