summaryrefslogtreecommitdiffstats
path: root/xlators/protocol/client/src/client.c
diff options
context:
space:
mode:
authorNiels de Vos <ndevos@redhat.com>2015-11-12 09:57:19 +0100
committerJeff Darcy <jdarcy@redhat.com>2015-11-17 09:14:20 -0800
commitdc3aa7524e4974f9d02465e2e5dd6ed9b6d319e1 (patch)
tree3caf87ff7ddb0ac78850ea053ee43a0dcbcac614 /xlators/protocol/client/src/client.c
parentf71c08b8d592fa6125fee57fb73f774ce522756c (diff)
protocol/client: prevent use-after-free of frame->root
A regression failure generated a coredump on the glusterfs-client side: (gdb) f 0 #0 0x00007fba6cd76432 in client_submit_request (this=0x7fba68006fc0, req=0x7fba6579aa70, frame=0x7fba5c0058cc, prog=0x7fba6cfb53c0 <clnt3_3_fop_prog>, procnum=41, cbkfn=0x7fba6cd9206d <client3_3_release_cbk>, iobref=0x0, rsphdr=0x0, rsphdr_count=0, rsp_payload=0x0, rsp_payload_count=0, rsp_iobref=0x0, xdrproc=0x7fba79801075 <xdr_gfs3_release_req>) at /home/jenkins/root/workspace/rackspace-regression-2GB-triggered/xlators/protocol/client/src/client.c:324 324 frame->root->ngrps = ngroups; (gdb) l 319 gf_msg_debug (this->name, 0, "rpc_clnt_submit failed"); 320 } 321 322 if (!conf->send_gids) { 323 /* restore previous values */ 324 frame->root->ngrps = ngroups; 325 if (ngroups <= SMALL_GROUP_COUNT) 326 frame->root->groups_small[0] = gid; 327 } 328 (gdb) p *frame->root Cannot access memory at address 0x64185df000000000 After looking at this in more detail, the flow is like this: client_submit_request() | '- rpc_clnt_submit() // on line 314 | '- cbkfn() // = client3_3_release_cbk | :- STACK_DESTROY (frame->root); .----' .----' | :- frame->root->ngrps = ngroups; // on line 324 ' So, there is a use-after-free, and it is not needed to restore the previous groups in frame->root. Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2 BUG: 128128 Signed-off-by: Niels de Vos <ndevos@redhat.com> Reviewed-on: http://review.gluster.org/12575 Reviewed-by: Dan Lambright <dlambrig@redhat.com> Tested-by: NetBSD Build System <jenkins@build.gluster.org> Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Diffstat (limited to 'xlators/protocol/client/src/client.c')
-rw-r--r--xlators/protocol/client/src/client.c16
1 files changed, 2 insertions, 14 deletions
diff --git a/xlators/protocol/client/src/client.c b/xlators/protocol/client/src/client.c
index dc3b75d..39ac7c3 100644
--- a/xlators/protocol/client/src/client.c
+++ b/xlators/protocol/client/src/client.c
@@ -228,8 +228,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame,
struct iobref *new_iobref = NULL;
ssize_t xdr_size = 0;
struct rpc_req rpcreq = {0, };
- uint64_t ngroups = 0;
- uint64_t gid = 0;
GF_VALIDATE_OR_GOTO ("client", this, out);
GF_VALIDATE_OR_GOTO (this->name, prog, out);
@@ -300,14 +298,11 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame,
/* do not send all groups if they are resolved server-side */
if (!conf->send_gids) {
- /* copy some values for restoring later */
- ngroups = frame->root->ngrps;
- frame->root->ngrps = 1;
- if (ngroups <= SMALL_GROUP_COUNT) {
- gid = frame->root->groups_small[0];
+ if (frame->root->ngrps <= SMALL_GROUP_COUNT) {
frame->root->groups_small[0] = frame->root->gid;
frame->root->groups = frame->root->groups_small;
}
+ frame->root->ngrps = 1;
}
/* Send the msg */
@@ -319,13 +314,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame,
gf_msg_debug (this->name, 0, "rpc_clnt_submit failed");
}
- if (!conf->send_gids) {
- /* restore previous values */
- frame->root->ngrps = ngroups;
- if (ngroups <= SMALL_GROUP_COUNT)
- frame->root->groups_small[0] = gid;
- }
-
ret = 0;
if (new_iobref)