From 62992ac27d729ecc7da500ce42dc46592c13d003 Mon Sep 17 00:00:00 2001 From: Jeff Darcy Date: Mon, 1 Jun 2015 15:21:00 -0400 Subject: stripe: fix use-after-free Pretty much a classic case. STRIPE_STACK_UNWIND frees the "local" structure. In the "virtual xattr" path, used for lock recovery among other things, we were calling STRIPE_STACK_UNWIND and then continuing to clean up "our" parts of the just-freed structure. Oops. Change-Id: Ifa961b89cd21a2893de39a9eea243d184f9eac46 BUG: 1222317 Signed-off-by: Jeff Darcy Reviewed-on: http://review.gluster.org/11037 Reviewed-by: Krishnan Parthasarathi Tested-by: Gluster Build System Tested-by: NetBSD Build System Reviewed-by: Niels de Vos --- xlators/cluster/stripe/src/stripe.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/xlators/cluster/stripe/src/stripe.c b/xlators/cluster/stripe/src/stripe.c index 71d9230f708..dbb76c30b38 100644 --- a/xlators/cluster/stripe/src/stripe.c +++ b/xlators/cluster/stripe/src/stripe.c @@ -5445,12 +5445,18 @@ stripe_vgetxattr_cbk (call_frame_t *frame, void *cookie, } unwind: - STRIPE_STACK_UNWIND (getxattr, frame, op_ret, op_errno, - stripe_xattr, NULL); - + /* + * Among other things, STRIPE_STACK_UNWIND will free "local" + * for us. That means we can't dereference it afterward. + * Fortunately, the actual result is in stripe_xattr now, so we + * can simply clean up before unwinding. + */ ret = stripe_free_xattr_str (local); - GF_FREE (local->xattr_list); + local->xattr_list = NULL; + + STRIPE_STACK_UNWIND (getxattr, frame, op_ret, op_errno, + stripe_xattr, NULL); if (stripe_xattr) dict_unref (stripe_xattr); -- cgit