fixup: make ItemHandle own a ref<Item> to prevent UAF on failed transfers

cole-h · cole-h · commit 3619618e8d07 · 2026-02-20T10:38:04.000-08:00
diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
@@ -962,7 +962,7 @@ struct curlFileTransfer : public FileTransfer
         writeFull(wakeupPipe.writeSide.get(), " ");
 #endif
 
-        return ItemHandle(static_cast<Item &>(*item));
+        return ItemHandle(ref<Item>(std::move(item)));
     }
 
     ItemHandle
@@ -977,7 +977,7 @@ struct curlFileTransfer : public FileTransfer
                 return enqueueItem(item);
             } catch (const nix::Error & e) {
                 item->fail(e);
-                return ItemHandle(static_cast<Item &>(*item));
+                return ItemHandle(ref<Item>(std::move(item)));
             }
         }
 
@@ -986,7 +986,7 @@ struct curlFileTransfer : public FileTransfer
             return enqueueItem(item);
         } catch (const nix::Error & e) {
             item->fail(e);
-            return ItemHandle(static_cast<Item &>(*item));
+            return ItemHandle(ref<Item>(std::move(item)));
         }
     }
 
@@ -1001,7 +1001,7 @@ struct curlFileTransfer : public FileTransfer
 
     void unpauseTransfer(ItemHandle handle) override
     {
-        unpauseTransfer(ref{static_cast<TransferItem &>(handle.item.get()).shared_from_this()});
+        unpauseTransfer(ref{static_cast<TransferItem &>(*handle.item).shared_from_this()});
     }
 };
 
diff --git a/src/libstore/include/nix/store/filetransfer.hh b/src/libstore/include/nix/store/filetransfer.hh
@@ -262,11 +262,11 @@ public:
      */
     struct ItemHandle
     {
-        std::reference_wrapper<Item> item;
+        ref<Item> item;
         friend struct FileTransfer;
 
-        ItemHandle(Item & item)
-            : item(item)
+        explicit ItemHandle(ref<Item> item)
+            : item(std::move(item))
         {
         }
     };

Original file line number	Diff line number	Diff line change
`@@ -962,7 +962,7 @@ struct curlFileTransfer : public FileTransfer`
`962`	`962`	`writeFull(wakeupPipe.writeSide.get(), " ");`
`963`	`963`	`#endif`
`964`	`964`
`965`		`- return ItemHandle(static_cast<Item &>(*item));`
	`965`	`+ return ItemHandle(ref<Item>(std::move(item)));`
`966`	`966`	`}`
`967`	`967`
`968`	`968`	`ItemHandle`
`@@ -977,7 +977,7 @@ struct curlFileTransfer : public FileTransfer`
`977`	`977`	`return enqueueItem(item);`
`978`	`978`	`} catch (const nix::Error & e) {`
`979`	`979`	`item->fail(e);`
`980`		`- return ItemHandle(static_cast<Item &>(*item));`
	`980`	`+ return ItemHandle(ref<Item>(std::move(item)));`
`981`	`981`	`}`
`982`	`982`	`}`
`983`	`983`
`@@ -986,7 +986,7 @@ struct curlFileTransfer : public FileTransfer`
`986`	`986`	`return enqueueItem(item);`
`987`	`987`	`} catch (const nix::Error & e) {`
`988`	`988`	`item->fail(e);`
`989`		`- return ItemHandle(static_cast<Item &>(*item));`
	`989`	`+ return ItemHandle(ref<Item>(std::move(item)));`
`990`	`990`	`}`
`991`	`991`	`}`
`992`	`992`
`@@ -1001,7 +1001,7 @@ struct curlFileTransfer : public FileTransfer`
`1001`	`1001`
`1002`	`1002`	`void unpauseTransfer(ItemHandle handle) override`
`1003`	`1003`	`{`
`1004`		`- unpauseTransfer(ref{static_cast<TransferItem &>(handle.item.get()).shared_from_this()});`
	`1004`	`+ unpauseTransfer(ref{static_cast<TransferItem &>(*handle.item).shared_from_this()});`
`1005`	`1005`	`}`
`1006`	`1006`	`};`
`1007`	`1007`
Original file line number	Diff line number	Diff line change
`@@ -262,11 +262,11 @@ public:`
`262`	`262`	`*/`
`263`	`263`	`struct ItemHandle`
`264`	`264`	`{`
`265`		`- std::reference_wrapper<Item> item;`
	`265`	`+ ref<Item> item;`
`266`	`266`	`friend struct FileTransfer;`
`267`	`267`
`268`		`- ItemHandle(Item & item)`
`269`		`- : item(item)`
	`268`	`+ explicit ItemHandle(ref<Item> item)`
	`269`	`+ : item(std::move(item))`
`270`	`270`	`{`
`271`	`271`	`}`
`272`	`272`	`};`