diff options
| author | N Balachandran <nbalacha@redhat.com> | 2017-06-29 10:52:37 +0530 |
|---|---|---|
| committer | Shyamsundar Ranganathan <srangana@redhat.com> | 2017-07-05 14:10:20 +0000 |
| commit | d4adffdb8da96dfbbe68a8d325fc28941e1f8627 (patch) | |
| tree | 664a425d58ec1f5728d8cdcf7eba47d26a241251 | |
| parent | e9699c20eebf88d658eb9e32d7c6d00288b28cc2 (diff) | |
cluster:dht Fix crash in dht_rename_lock_cbk
Use a local variable to store the call count
in the STACK_WIND for loop. Using frame->local
is dangerous as it could be freed while the loop
is still being processed
> BUG: 1466110
> Signed-off-by: N Balachandran <nbalacha@redhat.com>
> Reviewed-on: https://review.gluster.org/17645
> Smoke: Gluster Build System <jenkins@build.gluster.org>
> Tested-by: Nigel Babu <nigelb@redhat.com>
> Reviewed-by: Amar Tumballi <amarts@redhat.com>
> Reviewed-by: Jeff Darcy <jeff@pl.atyp.us>
> CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
> Reviewed-by: Shyamsundar Ranganathan <srangana@redhat.com>
(cherry picked from commit 56da27cf5dc6ef54c7fa5282dedd6700d35a0ab0)
Change-Id: Ie65cdcfb7868509b4a83bc2a5b5d6304eabfbc8e
BUG: 1466859
Signed-off-by: N Balachandran <nbalacha@redhat.com>
Reviewed-on: https://review.gluster.org/17664
Smoke: Gluster Build System <jenkins@build.gluster.org>
Reviewed-by: Jeff Darcy <jeff@pl.atyp.us>
CentOS-regression: Gluster Build System <jenkins@build.gluster.org>
| -rw-r--r-- | xlators/cluster/dht/src/dht-rename.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/xlators/cluster/dht/src/dht-rename.c b/xlators/cluster/dht/src/dht-rename.c index 32806e911bb..3068499618c 100644 --- a/xlators/cluster/dht/src/dht-rename.c +++ b/xlators/cluster/dht/src/dht-rename.c @@ -1518,6 +1518,8 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this, dict_t *xattr_req = NULL; dht_conf_t *conf = NULL; int i = 0; + int count = 0; + local = frame->local; conf = this->private; @@ -1557,7 +1559,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this, goto done; } - local->call_cnt = local->lock[0].layout.parent_layout.lk_count; + count = local->call_cnt = local->lock[0].layout.parent_layout.lk_count; /* Why not use local->lock.locks[?].loc for lookup post lock phase * --------------------------------------------------------------- @@ -1577,7 +1579,7 @@ dht_rename_lock_cbk (call_frame_t *frame, void *cookie, xlator_t *this, * exists with the name that the client requested with. * */ - for (i = 0; i < local->lock[0].layout.parent_layout.lk_count; i++) { + for (i = 0; i < count; i++) { STACK_WIND_COOKIE (frame, dht_rename_lookup_cbk, (void *)(long)i, local->lock[0].layout.parent_layout.locks[i]->xl, local->lock[0].layout.parent_layout.locks[i]->xl->fops->lookup, |