From c862580c66ed7d2a8dc96b9051e5df86e1aae0d0 Mon Sep 17 00:00:00 2001
From: Raghavendra G <rgowdapp@redhat.com>
Date: Thu, 14 Jan 2016 16:11:27 +0530
Subject: protocol/server: Fix memory corruption during client-table-expand.

gf_client_clienttable_expand frees up old entries after expanding. So,
cliententry should be reassigned to a free slot in new array of
cliententries. Earlier it used to point to a slot in oldentries
resulting in a use-after-free bug.

Thanks to Pranith for the assistance provided.

Change-Id: Iabe40c7df475471a7df7bccb302aef496ded3f1c
BUG: 1298498
Signed-off-by: Raghavendra G <rgowdapp@redhat.com>
Reviewed-on: http://review.gluster.org/13241
Smoke: Gluster Build System <jenkins@build.gluster.com>
NetBSD-regression: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
CentOS-regression: Gluster Build System <jenkins@build.gluster.com>
---
 libglusterfs/src/client_t.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'libglusterfs')

diff --git a/libglusterfs/src/client_t.c b/libglusterfs/src/client_t.c
index 1c291518564..8cf14865665 100644
--- a/libglusterfs/src/client_t.c
+++ b/libglusterfs/src/client_t.c
@@ -265,6 +265,7 @@ gf_client_get (xlator_t *this, struct rpcsvc_auth_data *cred, char *client_uid)
                                 errno = result;
                                 goto unlock;
                         }
+                        cliententry = &clienttable->cliententries[client->tbl_index];
                         cliententry->next_free = clienttable->first_free;
                 }
                 cliententry->client = client;
-- 
cgit