From 865d156d30498cd1bf4219ddbbb304d2ffd4aea0 Mon Sep 17 00:00:00 2001
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Wed, 20 Aug 2014 10:50:35 +0200
Subject: Fix quotad RPC options use-after-free bug in gluster

In cli/src/cli.c:cli_quotad_clnt_rpc_init(), dict_unref (rpc_opts)
causes the options to be freed while code in rpc/rpc-transport/socket
still relies on it. The options are corrupted when memory is reallocated,
which sometimes leads to a crashes on NetBSD when socket_connect()
attempted to read options.

Fix the problem by not doing the dict_unref(). Make sure the rpc_opts
are freed on error, though.

BUG: 1129939
Change-Id: If1d6ea50cc3e1599e9e369863c8db0c0694d3671
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/8502
Reviewed-by: Santosh Pradhan <spradhan@redhat.com>
Reviewed-by: Niels de Vos <ndevos@redhat.com>
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com>
Tested-by: Krishnan Parthasarathi <kparthas@redhat.com>
---
 cli/src/cli.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'cli/src/cli.c')

diff --git a/cli/src/cli.c b/cli/src/cli.c
index fa3c747d154..992f6a54321 100644
--- a/cli/src/cli.c
+++ b/cli/src/cli.c
@@ -553,7 +553,10 @@ cli_quotad_clnt_rpc_init (void)
 
         global_quotad_rpc = rpc;
 out:
-        dict_unref (rpc_opts);
+        if (ret) {
+                if (rpc_opts)
+                        dict_destroy(rpc_opts);
+        }
         return rpc;
 }
 
-- 
cgit