From 88cfaa33b3c9949936490fc0da5add177b4979ad Mon Sep 17 00:00:00 2001
From: N Balachandran <nbalacha@redhat.com>
Date: Mon, 7 Dec 2015 13:32:57 +0530
Subject: cluster/tier : Fix double free in tier process

The tier process tries to free ipc_ctr_params twice
if the syncop_ipc call in tier_process_ctr_query fails.
ipc_ctr_params is freed when ctr_ipc_in_dict is freed.
But ctr_ipc_out_dict is NULL when syncop_ipc fails, causing
GF_FREE to be called on a non-NULL ipc_ctr_params ptr again.

> Change-Id: Ia15f36dfbcd97be5524588beb7caad5cb79efdb4
> Signed-off-by: N Balachandran <nbalacha@redhat.com>
> Reviewed-on: http://review.gluster.org/12890
> Reviewed-by: Joseph Fernandes
> Tested-by: NetBSD Build System <jenkins@build.gluster.org>
> Tested-by: Gluster Build System <jenkins@build.gluster.com>
> Reviewed-by: Dan Lambright <dlambrig@redhat.com>
> (cherry picked from commit 06818a0fd69bb0d6daabde73e5c3cc2661a70854)

Change-Id: Ida2da0416272ff1b04cf51f76467e27b62121f41
BUG: 1289414
Signed-off-by: N Balachandran <nbalacha@redhat.com>
Reviewed-on: http://review.gluster.org/12904
Reviewed-by: Joseph Fernandes
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Dan Lambright <dlambrig@redhat.com>
Tested-by: Dan Lambright <dlambrig@redhat.com>
---
 xlators/cluster/dht/src/tier.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'xlators/cluster/dht/src/tier.c')

diff --git a/xlators/cluster/dht/src/tier.c b/xlators/cluster/dht/src/tier.c
index ce21332a89e..8685d84f7c6 100644
--- a/xlators/cluster/dht/src/tier.c
+++ b/xlators/cluster/dht/src/tier.c
@@ -837,6 +837,7 @@ tier_process_ctr_query (tier_brick_list_t *local_brick, void *args)
                 gf_msg (this->name, GF_LOG_ERROR, 0, LG_MSG_SET_PARAM_FAILED,
                         "Failed setting %s to params dictionary",
                         GFDB_IPC_CTR_GET_QUERY_PARAMS);
+                GF_FREE (ipc_ctr_params);
                 goto out;
         }
 
@@ -882,11 +883,8 @@ out:
         if (ctr_ipc_out_dict) {
                 dict_unref(ctr_ipc_out_dict);
                 ctr_ipc_out_dict = NULL;
-                ipc_ctr_params = NULL;
         }
 
-        GF_FREE (ipc_ctr_params);
-
         return ret;
 }
 
-- 
cgit