From da7ca1efcf3a621c27f05d621715e57fdc5aa397 Mon Sep 17 00:00:00 2001 From: Krutika Dhananjay Date: Wed, 28 Nov 2012 22:29:36 +0530 Subject: protocol/server: Do not access key after GF_FREE in _delete_auth_opt() PROBLEMS: 1.'key' becomes a dangling pointer after the first call to dict_del() returns, in _delete_auth_opt(). Therefore, the second call to fnmatch() is made with 'key' pointing to deallocated space. 2. Also, the name _delete_auth_opt seems to suggest that the function is intended to match and delete "auth" options from the dictionary. But it winds up deleting all the options irrespective of whether the pattern match was successful or not. The same is true with _copy_auth_opt(). FIX: Changed _delete_auth_opt() to delete the key ONLY if it matches either of the two patterns (auth.addr.*.allow and auth.addr.*.reject). Similarly, changed _copy_auth_opt() along the same lines. Change-Id: Ic8664e5a0a29cefe43cb59a27e32fbdbeac154b5 BUG: 881062 Signed-off-by: Krutika Dhananjay Reviewed-on: http://review.gluster.org/4337 Reviewed-by: Pranith Kumar Karampuri Tested-by: Gluster Build System Reviewed-by: Anand Avati --- xlators/protocol/server/src/server.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) (limited to 'xlators/protocol/server') diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c index 908f62a7b84..19f09a82f2f 100644 --- a/xlators/protocol/server/src/server.c +++ b/xlators/protocol/server/src/server.c @@ -839,13 +839,16 @@ static int _delete_auth_opt (dict_t *this, char *key, data_t *value, void *data) { char *auth_option_pattern[] = { "auth.addr.*.allow", - "auth.addr.*.reject"}; + "auth.addr.*.reject", + NULL}; + int i = 0; - if (fnmatch ( auth_option_pattern[0], key, 0) != 0) - dict_del (this, key); - - if (fnmatch ( auth_option_pattern[1], key, 0) != 0) - dict_del (this, key); + for (i = 0; auth_option_pattern[i]; i++) { + if (fnmatch (auth_option_pattern[i], key, 0) == 0) { + dict_del (this, key); + break; + } + } return 0; } @@ -855,12 +858,16 @@ static int _copy_auth_opt (dict_t *unused, char *key, data_t *value, void *xl_dict) { char *auth_option_pattern[] = { "auth.addr.*.allow", - "auth.addr.*.reject"}; - if (fnmatch ( auth_option_pattern[0], key, 0) != 0) - dict_set ((dict_t *)xl_dict, key, (value)); + "auth.addr.*.reject", + NULL}; + int i = 0; - if (fnmatch ( auth_option_pattern[1], key, 0) != 0) - dict_set ((dict_t *)xl_dict, key, (value)); + for (i = 0; auth_option_pattern [i]; i++) { + if (fnmatch (auth_option_pattern[i], key, 0) == 0) { + dict_set ((dict_t *)xl_dict, key, value); + break; + } + } return 0; } -- cgit