summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRaghavendra Bhat <raghavendra@redhat.com>2014-01-09 20:22:58 +0530
committerRaghavendra Bhat <raghavendra@redhat.com>2014-01-13 10:23:39 +0530
commitbae3b86cc44adb43fb70f674da1d9e31c60bba96 (patch)
tree99a14ea82cd339a1b80478e5d70e63f2eef65313
parent847e14ccbaddd5d1f06f9200cba063ee007199ad (diff)
protocol/server: copy the response into the payload instead of using the pointer
The response structure filled up in server_submit_reply is local to the function (i.e stack allocated) whose address is stored in the barrier payload to use later while sending the replies. But after the function is exited (server_submit_reply) the pointer is not valid and contains invalid data, which either leads in a segfault due to illegal memory access or reply not being sent as the total length of the reply obtained from that memory might not be valid. So instead of saving the pointer inside the payload, save the complete reply itself. Change-Id: I7d0b7b181584865199357a67165b99bf35def5ab Signed-off-by: Raghavendra Bhat <raghavendra@redhat.com>
-rw-r--r--rpc/rpc-transport/socket/src/socket.c1
-rw-r--r--xlators/protocol/server/src/server-helpers.c7
-rw-r--r--xlators/protocol/server/src/server.h2
3 files changed, 7 insertions, 3 deletions
diff --git a/rpc/rpc-transport/socket/src/socket.c b/rpc/rpc-transport/socket/src/socket.c
index 93da3f2..3314c92 100644
--- a/rpc/rpc-transport/socket/src/socket.c
+++ b/rpc/rpc-transport/socket/src/socket.c
@@ -3138,6 +3138,7 @@ socket_submit_reply (rpc_transport_t *this, rpc_transport_reply_t *reply)
}
priv->submit_log = 0;
+
entry = __socket_ioq_new (this, &reply->msg);
if (!entry)
goto unlock;
diff --git a/xlators/protocol/server/src/server-helpers.c b/xlators/protocol/server/src/server-helpers.c
index 12951a7..a4055f1 100644
--- a/xlators/protocol/server/src/server-helpers.c
+++ b/xlators/protocol/server/src/server-helpers.c
@@ -964,7 +964,7 @@ gf_barrier_transmit (server_conf_t *conf, gf_barrier_payload_t *payload)
if (client)
lk_heal = ((server_conf_t *) client->this->private)->lk_heal;
- ret = rpcsvc_submit_generic (payload->req, payload->rsp, 1,
+ ret = rpcsvc_submit_generic (payload->req, &payload->rsp, 1,
payload->payload, payload->payload_count,
payload->iobref);
iobuf_unref (payload->iob);
@@ -1240,6 +1240,9 @@ gf_barrier_payload (rpcsvc_request_t *req, struct iovec *rsp,
{
gf_barrier_payload_t *payload = NULL;
+ if (!rsp)
+ return NULL;
+
payload = GF_CALLOC (1, sizeof (*payload),1);
if (!payload)
return NULL;
@@ -1247,7 +1250,7 @@ gf_barrier_payload (rpcsvc_request_t *req, struct iovec *rsp,
INIT_LIST_HEAD (&payload->list);
payload->req = req;
- payload->rsp = rsp;
+ memcpy (&payload->rsp, rsp, sizeof (struct iovec));
payload->frame = frame;
payload->payload = payload_orig;
payload->payload_count = payloadcount;
diff --git a/xlators/protocol/server/src/server.h b/xlators/protocol/server/src/server.h
index 82554ae..165058e 100644
--- a/xlators/protocol/server/src/server.h
+++ b/xlators/protocol/server/src/server.h
@@ -30,7 +30,7 @@
struct _gf_barrier_payload {
rpcsvc_request_t *req;
- struct iovec *rsp;
+ struct iovec rsp;
call_frame_t *frame;
struct iovec *payload;
struct iobref *iobref;