Backport #97520 to 25.12: fix a possible use after free in StorageKafka2::activate()

robot-clickhouse · robot-clickhouse · commit 79f0fb6a962a · 2026-02-22T13:31:55.000Z
diff --git a/src/Storages/Kafka/StorageKafka2.cpp b/src/Storages/Kafka/StorageKafka2.cpp
@@ -210,6 +210,11 @@ void StorageKafka2::partialShutdown()
         task->holder->deactivate();
     }
     is_active = false;
+    /// Reset the active node holder while the old ZooKeeper session is still alive (even if expired).
+    /// EphemeralNodeHolder stores a raw ZooKeeper reference, so resetting it here prevents a
+    /// use-after-free: setZooKeeper() called afterwards may free the old session, and the holder's
+    /// destructor would then access a dangling reference when checking zookeeper.expired().
+    replica_is_active_node = nullptr;
 }
 
 bool StorageKafka2::activate()

Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,11 @@ void StorageKafka2::partialShutdown()`
`210`	`210`	`task->holder->deactivate();`
`211`	`211`	`}`
`212`	`212`	`is_active = false;`
	`213`	`+ /// Reset the active node holder while the old ZooKeeper session is still alive (even if expired).`
	`214`	`+ /// EphemeralNodeHolder stores a raw ZooKeeper reference, so resetting it here prevents a`
	`215`	`+ /// use-after-free: setZooKeeper() called afterwards may free the old session, and the holder's`
	`216`	`+ /// destructor would then access a dangling reference when checking zookeeper.expired().`
	`217`	`+ replica_is_active_node = nullptr;`
`213`	`218`	`}`
`214`	`219`
`215`	`220`	`bool StorageKafka2::activate()`