From 7ad8b05dc3003102ac192b1bb6bcae5c57e148cf Mon Sep 17 00:00:00 2001
From: Anand Avati <avati@redhat.com>
Date: Thu, 25 Apr 2013 22:46:50 -0700
Subject: rpcsvc: fix dangerous setting of pointer on free'd structure

The current code is setting @req->hdr_iobuf = NULL _after_ calling
actor_fn() on @req. Calling actor_fn() takes away all guarantees
of whether @req is still a valid object or destroyed.

Unfortunately most of the times the object is allocated from mem-pool
an a mem_put() still keeps the arena allocated (no crash). However
once the mem-pool is full and allocation falls back to malloc()/free()
the code actually becomes dangerous. This resulted in random crashes
when the system load is high (when there were sufficient outstanding
calls that @rpc pool got full)

Change-Id: I4398c717aa0e2c5f06733212b64dd79e7b2a4136
BUG: 884452
Signed-off-by: Anand Avati <avati@redhat.com>
Reviewed-on: http://review.gluster.org/4990
Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
---
 rpc/rpc-lib/src/rpcsvc.c | 1 -
 1 file changed, 1 deletion(-)

(limited to 'rpc/rpc-lib')

diff --git a/rpc/rpc-lib/src/rpcsvc.c b/rpc/rpc-lib/src/rpcsvc.c
index db8ce2f3f..d69756cc0 100644
--- a/rpc/rpc-lib/src/rpcsvc.c
+++ b/rpc/rpc-lib/src/rpcsvc.c
@@ -547,7 +547,6 @@ rpcsvc_handle_rpc_call (rpcsvc_t *svc, rpc_transport_t *trans,
                                             req);
                 } else {
                         ret = actor_fn (req);
-                        req->hdr_iobuf = NULL;
                 }
         }
 
-- 
cgit