From 6fa531c57c633827283fba6a3cdaa1c68976ccb7 Mon Sep 17 00:00:00 2001 From: Bhumika Goyal Date: Tue, 7 Aug 2018 15:28:13 +0530 Subject: xlators: protocol: Fix deferencing pointer after free coverity issues The pointer of type struct iobuf * is getting dereferenced after getting freed by iobuf_unref function. Therefore, move this function after all the dereferences of this pointer type. Also, it is useful coding standard to have iobuf_unref just after iobref_add. So, move iobref_add too. Occurences found using Coccinelle script: @@ identifier rsphdr_iobuf; expression E; identifier func; @@ *iobuf_unref(rsphdr_iobuf); ... *E = func(rsphdr_iobuf); Fixes CID: 1390517, 1390278, 1388666, 1356588, 1356587 at [1]. and also some more occurences which were found using the above script but not caught by Coverity. [1]. https://scan6.coverity.com/reports.htm#v42388/p10714/fileInstanceId=84384920&defectInstanceId=25600709&mergedDefectId=1388666 Change-Id: I579e9d12698f14e9e24bc926c6efef16bac5c06c updates: bz#789278 Signed-off-by: Bhumika Goyal --- xlators/protocol/client/src/client-helpers.c | 10 +++---- xlators/protocol/client/src/client-rpc-fops.c | 37 ++++++++++-------------- xlators/protocol/client/src/client-rpc-fops_v2.c | 9 +++--- 3 files changed, 24 insertions(+), 32 deletions(-) diff --git a/xlators/protocol/client/src/client-helpers.c b/xlators/protocol/client/src/client-helpers.c index 75cfd55b8fa..ddb88795fee 100644 --- a/xlators/protocol/client/src/client-helpers.c +++ b/xlators/protocol/client/src/client-helpers.c @@ -1268,15 +1268,14 @@ client_handle_fop_requirements (xlator_t *this, call_frame_t *frame, } } - iobref_add (*rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - if (*rsp_count + 1 >= MAX_IOVEC) { op_errno = ENOMEM; goto out; } rsp_vector[*rsp_count].iov_base = iobuf_ptr (rsp_iobuf); rsp_vector[*rsp_count].iov_len = iobuf_pagesize (rsp_iobuf); + iobref_add (*rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; if (args->size > rsp_vector[*rsp_count].iov_len) { gf_msg (this->name, GF_LOG_WARNING, ENOMEM, @@ -2371,15 +2370,14 @@ client_handle_fop_requirements_v2 (xlator_t *this, call_frame_t *frame, } } - iobref_add (*rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - if (*rsp_count + 1 >= MAX_IOVEC) { op_errno = ENOMEM; goto out; } rsp_vector[*rsp_count].iov_base = iobuf_ptr (rsp_iobuf); rsp_vector[*rsp_count].iov_len = iobuf_pagesize (rsp_iobuf); + iobref_add (*rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; if (args->size > rsp_vector[*rsp_count].iov_len) { gf_msg (this->name, GF_LOG_WARNING, ENOMEM, diff --git a/xlators/protocol/client/src/client-rpc-fops.c b/xlators/protocol/client/src/client-rpc-fops.c index cf2d913dd71..5c5a96d9178 100644 --- a/xlators/protocol/client/src/client-rpc-fops.c +++ b/xlators/protocol/client/src/client-rpc-fops.c @@ -3456,13 +3456,13 @@ client3_3_readlink (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsp_iobuf); rsphdr->iov_len = iobuf_pagesize (rsp_iobuf); count = 1; local->iobref = rsp_iobref; + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; rsp_iobref = NULL; @@ -4029,12 +4029,11 @@ client3_3_readv (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - rsp_vec.iov_base = iobuf_ptr (rsp_iobuf); rsp_vec.iov_len = iobuf_pagesize (rsp_iobuf); + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; if (args->size > rsp_vec.iov_len) { @@ -4555,14 +4554,13 @@ client3_3_fgetxattr (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsp_iobuf); rsphdr->iov_len = iobuf_pagesize (rsp_iobuf);; count = 1; local->iobref = rsp_iobref; + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; rsp_iobref = NULL; @@ -4650,14 +4648,13 @@ client3_3_getxattr (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsp_iobuf); rsphdr->iov_len = iobuf_pagesize (rsp_iobuf); count = 1; local->iobref = rsp_iobref; + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; rsp_iobref = NULL; @@ -4771,14 +4768,13 @@ client3_3_xattrop (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsp_iobuf); rsphdr->iov_len = iobuf_pagesize (rsp_iobuf); count = 1; local->iobref = rsp_iobref; + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; rsp_iobref = NULL; @@ -4872,13 +4868,13 @@ client3_3_fxattrop (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsp_iobuf); rsphdr->iov_len = iobuf_pagesize (rsp_iobuf); count = 1; local->iobref = rsp_iobref; + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; rsp_iobref = NULL; @@ -5485,14 +5481,13 @@ client3_3_readdirp (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsp_iobuf); rsphdr->iov_len = iobuf_pagesize (rsp_iobuf); count = 1; local->iobref = rsp_iobref; + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; rsp_iobref = NULL; } @@ -5884,12 +5879,12 @@ client3_3_compound (call_frame_t *frame, xlator_t *this, void *data) goto unwind; } - iobref_add (rsphdr_iobref, rsphdr_iobuf); - iobuf_unref (rsphdr_iobuf); rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsphdr_iobuf); rsphdr->iov_len = iobuf_pagesize (rsphdr_iobuf); rsphdr_count = 1; + iobref_add (rsphdr_iobref, rsphdr_iobuf); + iobuf_unref (rsphdr_iobuf); rsphdr_iobuf = NULL; req.compound_fop_enum = c_args->fop_enum; diff --git a/xlators/protocol/client/src/client-rpc-fops_v2.c b/xlators/protocol/client/src/client-rpc-fops_v2.c index 35731920a2e..dc5b8d4ac83 100644 --- a/xlators/protocol/client/src/client-rpc-fops_v2.c +++ b/xlators/protocol/client/src/client-rpc-fops_v2.c @@ -4960,14 +4960,13 @@ client4_0_readdirp (call_frame_t *frame, xlator_t *this, goto unwind; } - iobref_add (rsp_iobref, rsp_iobuf); - iobuf_unref (rsp_iobuf); - rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsp_iobuf); rsphdr->iov_len = iobuf_pagesize (rsp_iobuf); count = 1; local->iobref = rsp_iobref; + iobref_add (rsp_iobref, rsp_iobuf); + iobuf_unref (rsp_iobuf); rsp_iobuf = NULL; rsp_iobref = NULL; } @@ -5952,12 +5951,12 @@ client4_0_compound (call_frame_t *frame, xlator_t *this, void *data) goto unwind; } - iobref_add (rsphdr_iobref, rsphdr_iobuf); - iobuf_unref (rsphdr_iobuf); rsphdr = &vector[0]; rsphdr->iov_base = iobuf_ptr (rsphdr_iobuf); rsphdr->iov_len = iobuf_pagesize (rsphdr_iobuf); rsphdr_count = 1; + iobref_add (rsphdr_iobref, rsphdr_iobuf); + iobuf_unref (rsphdr_iobuf); rsphdr_iobuf = NULL; req.compound_fop_enum = c_args->fop_enum; -- cgit