From fa6239432ed752fbc3e5250d249687d01fcb908b Mon Sep 17 00:00:00 2001
From: zkocon <Zbigniew.Kocon@ttsw.com.pl>
Date: Mon, 12 Aug 2024 15:03:01 +0200
Subject: [PATCH] fix heap-use-after-free condition when cancelling spawned
 task, closes #194

The variable "recs" was allocated on a piece of memory whose lifetime
was managed at the level of the coroutine (inside its frame). This led
to access to freed memory if that coroutine (its frame) was deleted
---
 include/boost/cobalt/detail/spawn.hpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/include/boost/cobalt/detail/spawn.hpp b/include/boost/cobalt/detail/spawn.hpp
index 296a5769..7ae674fe 100644
--- a/include/boost/cobalt/detail/spawn.hpp
+++ b/include/boost/cobalt/detail/spawn.hpp
@@ -11,8 +11,6 @@
 #include <boost/cobalt/task.hpp>
 #include <boost/asio/dispatch.hpp>
 
-#include <boost/smart_ptr/allocate_unique.hpp>
-
 namespace boost::cobalt
 {
 template<typename T>
@@ -46,7 +44,7 @@ struct async_initiate_spawn
 #else
     auto alloc = asio::get_associated_allocator(h);
 #endif
-    auto recs = std::allocate_shared<detail::task_receiver<T>>(alloc, std::move(rec));
+    auto recs = std::make_shared<detail::task_receiver<T>>(std::move(rec));
 
     auto sl = asio::get_associated_cancellation_slot(h);
     if (sl.is_connected())
@@ -108,7 +106,7 @@ struct async_initiate_spawn
 #else
     auto alloc = asio::get_associated_allocator(h);
 #endif
-    auto recs = std::allocate_shared<detail::task_receiver<void>>(alloc, std::move(a.receiver_));
+    auto recs = std::make_shared<detail::task_receiver<void>>(std::move(a.receiver_));
 
     if (recs->done)
       return asio::dispatch(asio::get_associated_immediate_executor(h, exec),