libstore: fix data race in getFileTransfer() singleton replacement

Multiple threads could simultaneously observe that the singleton
FileTransfer instance has quit and attempt to replace it without
synchronization. This caused undefined behavior as multiple threads
would write to the same static std::shared_ptr concurrently.

Fixed by adding a mutex to ensure only one thread can replace the
singleton instance, using double-checked locking pattern to minimize
performance impact.

Author: Mic92

src/libstore/filetransfer.cc

@@ -28,6 +28,7 @@
 #include <random>
 #include <thread>
 #include <regex>
+#include <mutex>
 
 using namespace std::string_literals;
 
@@ -844,9 +845,17 @@ ref<curlFileTransfer> makeCurlFileTransfer()
 ref<FileTransfer> getFileTransfer()
 {
     static ref<curlFileTransfer> fileTransfer = makeCurlFileTransfer();
-
-    if (fileTransfer->state_.lock()->quit)
-        fileTransfer = makeCurlFileTransfer();
+    static std::mutex fileTransferMutex;
+
+    // Check if the current instance has quit
+    if (fileTransfer->state_.lock()->quit) {
+        // Only one thread should replace the singleton
+        std::lock_guard<std::mutex> guard(fileTransferMutex);
+        // Double-check after acquiring the lock
+        if (fileTransfer->state_.lock()->quit) {
+            fileTransfer = makeCurlFileTransfer();
+        }
+    }
 
     return fileTransfer;
 }