From da7ca1efcf3a621c27f05d621715e57fdc5aa397 Mon Sep 17 00:00:00 2001
From: Krutika Dhananjay <kdhananj@redhat.com>
Date: Wed, 28 Nov 2012 22:29:36 +0530
Subject: protocol/server: Do not access key after GF_FREE in
 _delete_auth_opt()

PROBLEMS:

1.'key' becomes a dangling pointer after the first call to dict_del()
   returns, in _delete_auth_opt(). Therefore, the second call to
   fnmatch() is made with 'key' pointing to deallocated space.

2. Also, the name _delete_auth_opt seems to suggest that the function
   is intended to match and delete "auth" options from the dictionary.
   But it winds up deleting all the options irrespective of whether
   the pattern match was successful or not. The same is true with
   _copy_auth_opt().

FIX:

Changed _delete_auth_opt() to delete the key ONLY if it matches either
of the two patterns (auth.addr.*.allow and auth.addr.*.reject).
Similarly, changed _copy_auth_opt() along the same lines.

Change-Id: Ic8664e5a0a29cefe43cb59a27e32fbdbeac154b5
BUG: 881062
Signed-off-by: Krutika Dhananjay <kdhananj@redhat.com>
Reviewed-on: http://review.gluster.org/4337
Reviewed-by: Pranith Kumar Karampuri <pkarampu@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Anand Avati <avati@redhat.com>
---
 xlators/protocol/server/src/server.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

(limited to 'xlators/protocol')

diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 908f62a7b..19f09a82f 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -839,13 +839,16 @@ static int
 _delete_auth_opt (dict_t *this, char *key, data_t *value, void *data)
 {
         char *auth_option_pattern[] = { "auth.addr.*.allow",
-                                        "auth.addr.*.reject"};
+                                        "auth.addr.*.reject",
+                                        NULL};
+        int i = 0;
 
-        if (fnmatch ( auth_option_pattern[0], key, 0) != 0)
-                dict_del (this, key);
-
-        if (fnmatch ( auth_option_pattern[1], key, 0) != 0)
-                dict_del (this, key);
+        for (i = 0; auth_option_pattern[i]; i++) {
+                if (fnmatch (auth_option_pattern[i], key, 0) == 0) {
+                        dict_del (this, key);
+                        break;
+                }
+        }
 
         return 0;
 }
@@ -855,12 +858,16 @@ static int
 _copy_auth_opt (dict_t *unused, char *key, data_t *value, void *xl_dict)
 {
         char *auth_option_pattern[] = { "auth.addr.*.allow",
-                                        "auth.addr.*.reject"};
-        if (fnmatch ( auth_option_pattern[0], key, 0) != 0)
-                dict_set ((dict_t *)xl_dict, key, (value));
+                                        "auth.addr.*.reject",
+                                        NULL};
+        int i = 0;
 
-        if (fnmatch ( auth_option_pattern[1], key, 0) != 0)
-                dict_set ((dict_t *)xl_dict, key, (value));
+        for (i = 0; auth_option_pattern [i]; i++) {
+                if (fnmatch (auth_option_pattern[i], key, 0) == 0) {
+                        dict_set ((dict_t *)xl_dict, key, value);
+                        break;
+                }
+        }
 
         return 0;
 }
-- 
cgit