summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPranith Kumar K <pkarampu@redhat.com>2015-12-06 22:05:54 +0530
committerRaghavendra G <rgowdapp@redhat.com>2015-12-09 19:52:57 -0800
commita97ea63aaf4ee79bd6bb9759840fdaa43f37534c (patch)
treeff2c21353af61c9994044c02d200b29b89af0174
parentb7bdcc39b057ef6057778bd0ab8f36376fd76db0 (diff)
mount/fuse: Fix use-after-free crash
Backport of http://review.gluster.com/12886 fouh->len is accessed after 'node' is freed. Also 'rv' is int where as fouh->len is uint32, changed comparison to ssize_t variables. BUG: 1288922 Change-Id: Ib5e22ce56a022740fcc09ce430ff1de31a8a45d6 Signed-off-by: Pranith Kumar K <pkarampu@redhat.com> Reviewed-on: http://review.gluster.org/12887 Tested-by: Gluster Build System <jenkins@build.gluster.com> Tested-by: NetBSD Build System <jenkins@build.gluster.org> Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
Diffstat
-rw-r--r--xlators/mount/fuse/src/fuse-bridge.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
index 525e7605a45..6735ae464c6 100644
--- a/xlators/mount/fuse/src/fuse-bridge.c
+++ b/xlators/mount/fuse/src/fuse-bridge.c
@@ -3839,7 +3839,8 @@ notify_kernel_loop (void *data)
xlator_t *this = NULL;
fuse_private_t *priv = NULL;
struct fuse_out_header *fouh = NULL;
- int rv = 0;
+ ssize_t rv = 0;
+ ssize_t len = 0;
fuse_invalidate_node_t *node = NULL;
this = data;
@@ -3865,17 +3866,18 @@ notify_kernel_loop (void *data)
fouh = (struct fuse_out_header *)node->inval_buf;
+ len = fouh->len;
rv = write (priv->fd, node->inval_buf, fouh->len);
- GF_FREE (node);
-
- if (rv != fouh->len && !(rv == -1 && errno == ENOENT))
+ if (rv != len && !(rv == -1 && errno == ENOENT))
break;
+ GF_FREE (node);
}
gf_log ("glusterfs-fuse", GF_LOG_INFO,
"kernel notifier loop terminated");
+ GF_FREE (node);
return NULL;
}
#endif
generated by cgit (git 2.34.1) at 2025-11-04 15:02:22 +0000