From a40aaaf7954704655543a4b28c09130e3d2635ea Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Thu, 9 Oct 2025 11:36:02 +0100
Subject: [PATCH] [Fix] Fix double-release of fuzzy_tcp_session on invalid
 commands

When a TCP command fails to parse in rspamd_fuzzy_tcp_io, the
fuzzy_tcp_session was released prematurely while cmd_session still
held a reference to it. This caused a double-release when cmd_session
was destroyed, potentially leading to memory corruption.
---
 src/fuzzy_storage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/fuzzy_storage.c b/src/fuzzy_storage.c
index fcd8987dde..efd28dd47c 100644
--- a/src/fuzzy_storage.c
+++ b/src/fuzzy_storage.c
@@ -2740,7 +2740,7 @@ rspamd_fuzzy_tcp_io(EV_P_ ev_io *w, int revents)
 					msg_debug_fuzzy_storage("invalid TCP fuzzy command of size %d received from %s",
 											(int) frame_len,
 											rspamd_inet_address_to_string(session->common.addr));
-					REF_RELEASE(session); /* Release TCP session reference */
+					/* Note: Don't release session here - cmd_session holds a reference and will release it */
 				}
 
 				/* Release our reference - session will be freed when all callbacks complete */
-- 
2.47.3