From 25da481bc5b06d671e41e5a70b2c145777154bf1 Mon Sep 17 00:00:00 2001
From: Krishnan Parthasarathi <kp@gluster.com>
Date: Fri, 10 Jun 2011 04:42:28 +0000
Subject: pump: cleanup potential dict related memory corruption.

Signed-off-by: Krishnan Parthasarathi <kp@gluster.com>
Signed-off-by: Anand Avati <avati@gluster.com>

BUG: 2489 (GlusterFS crashing with replace-brick)
URL: http://bugs.gluster.com/cgi-bin/bugzilla3/show_bug.cgi?id=2489
---
 xlators/cluster/afr/src/afr-self-heal-data.c | 38 ++++++++++++++++++----------
 1 file changed, 25 insertions(+), 13 deletions(-)

(limited to 'xlators/cluster/afr/src/afr-self-heal-data.c')

diff --git a/xlators/cluster/afr/src/afr-self-heal-data.c b/xlators/cluster/afr/src/afr-self-heal-data.c
index 5adaba1c9..d4516c4ce 100644
--- a/xlators/cluster/afr/src/afr-self-heal-data.c
+++ b/xlators/cluster/afr/src/afr-self-heal-data.c
@@ -859,12 +859,11 @@ afr_sh_data_fxattrop_cbk (call_frame_t *frame, void *cookie,
 int
 afr_sh_data_fxattrop (call_frame_t *frame, xlator_t *this)
 {
-	afr_self_heal_t *sh    = NULL;
-	afr_local_t     *local = NULL;
-	afr_private_t   *priv  = NULL;
-	dict_t          *xattr_req = NULL;
-
-        int32_t zero_pending[3] = {0, 0, 0};
+        afr_self_heal_t *sh           = NULL;
+        afr_local_t     *local        = NULL;
+        afr_private_t   *priv         = NULL;
+        dict_t          *xattr_req    = NULL;
+        int32_t         *zero_pending = NULL;
 
 	int call_count = 0;
 	int i = 0;
@@ -880,14 +879,21 @@ afr_sh_data_fxattrop (call_frame_t *frame, xlator_t *this)
 	local->call_count = call_count;
 
 	xattr_req = dict_new();
-	if (xattr_req) {
-                for (i = 0; i < priv->child_count; i++) {
-                        ret = dict_set_static_bin (xattr_req, priv->pending_key[i],
-                                                   zero_pending, 3 * sizeof(int32_t));
-                        if (ret < 0)
-				gf_log (this->name, GF_LOG_WARNING,
-					"Unable to set dict value");
+        if (!xattr_req) {
+                ret = -1;
+                goto out;
+        }
+        for (i = 0; i < priv->child_count; i++) {
+                zero_pending = GF_CALLOC (3, sizeof (int32_t), gf_common_mt_int32_t);
+                if (!zero_pending) {
+                        ret = -1;
+                        goto out;
                 }
+                ret = dict_set_dynptr (xattr_req, priv->pending_key[i],
+                                       zero_pending, 3 * sizeof(int32_t));
+                if (ret < 0)
+                        gf_log (this->name, GF_LOG_WARNING,
+                                "Unable to set dict value");
         }
 
 	for (i = 0; i < priv->child_count; i++) {
@@ -904,8 +910,14 @@ afr_sh_data_fxattrop (call_frame_t *frame, xlator_t *this)
 		}
 	}
 
+out:
 	if (xattr_req)
 		dict_unref (xattr_req);
+        if (ret) {
+                GF_FREE (zero_pending)
+                sh->op_failed = -1;
+                afr_sh_data_done (frame, this);
+        }
 
 	return 0;
 }
-- 
cgit