tdb2: fix use after free on error message

We use "r" after we call tdb_access_release() when we find corruption
in the free list.  "r" may be a pointer into malloced memory, freed
by tdb_access_release().

1 files changed, 1 insertions, 1 deletions

diff --git a/ccan/tdb2/free.c b/ccan/tdb2/free.c
index 7633eb77..7ede2461 100644
--- a/ccan/tdb2/free.c
+++ b/ccan/tdb2/free.c
@@ -457,12 +457,12 @@ again:
 		}
 
 		if (frec_magic(r) != TDB_FREE_MAGIC) {
-			tdb_access_release(tdb, r);
 			ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
 					   "lock_and_alloc:"
 					   " %llu non-free 0x%llx",
 					   (long long)off,
 					   (long long)r->magic_and_prev);
+			tdb_access_release(tdb, r);
 			goto unlock_err;
 		}