From c4928e6ecd64486f3a45836f15dc031603c45d71 Mon Sep 17 00:00:00 2001
From: Vitaliy Filippov <vitalif@yourcmc.ru>
Date: Sat, 30 Dec 2023 17:11:52 +0300
Subject: [PATCH] Protect from try_send completing the operation immediately

Fixes a possible use-after-free in case of continue_ops() calling try_send(),
then connect_peer() -> set_timer() -> trigger_nearest() -> handle_op_part() -> continue_ops() again
---
 src/cluster_client.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/cluster_client.cpp b/src/cluster_client.cpp
index bbe71f36..efed244a 100644
--- a/src/cluster_client.cpp
+++ b/src/cluster_client.cpp
@@ -705,6 +705,8 @@ resume_1:
         }
         goto resume_2;
     }
+    // Protect from try_send completing the operation immediately
+    op->inflight_count++;
     for (int i = 0; i < op->parts.size(); i++)
     {
         if (!(op->parts[i].flags & PART_SENT))
@@ -728,8 +730,10 @@ resume_1:
             }
         }
     }
+    op->inflight_count--;
     if (op->state == 1)
     {
+        // Some suboperations have to be resent
         return 0;
     }
 resume_2: