From f2137d4c84c035ed320f959dc39e07c6a1516afb Mon Sep 17 00:00:00 2001
From: Shwetha K Acharya <sacharya@redhat.com>
Date: Fri, 14 Sep 2018 10:27:56 +0530
Subject: protocol/server: NULL pointer dereferencing clang fix

Problem: Access to field fop_length results in null pointer dereferencing.

Solution: Added condition checks fix the issue.

Change-Id: Id408e3ac62ea9574f0cd9aecce5434add09eb7d0
Updates: bz#1622665
Signed-off-by: Shwetha K Acharya <sacharya@redhat.com>
---
 xlators/protocol/server/src/server-rpc-fops.c    | 9 +++++++--
 xlators/protocol/server/src/server-rpc-fops_v2.c | 9 +++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'xlators/protocol/server')

diff --git a/xlators/protocol/server/src/server-rpc-fops.c b/xlators/protocol/server/src/server-rpc-fops.c
index c621743fa06..9631c353f69 100644
--- a/xlators/protocol/server/src/server-rpc-fops.c
+++ b/xlators/protocol/server/src/server-rpc-fops.c
@@ -2292,6 +2292,11 @@ server_compound_cbk(call_frame_t *frame, void *cookie, xlator_t *this,
 
     /* TODO: I assume a single 10MB payload is large, if not, we need to
        agree to valid payload */
+    if (!args_cbk) {
+        op_ret = -1;
+        goto out;
+    }
+
     if ((args_cbk->fop_length <= 0) ||
         ((args_cbk->fop_length > (10 * 1024 * 1024)))) {
         op_ret = -1;
@@ -2326,8 +2331,8 @@ out:
 
     server_submit_reply(frame, req, &rsp, NULL, 0, NULL,
                         (xdrproc_t)xdr_gfs3_compound_rsp);
-
-    server_compound_rsp_cleanup(&rsp, args_cbk);
+    if (args_cbk)
+        server_compound_rsp_cleanup(&rsp, args_cbk);
     GF_FREE(rsp.xdata.xdata_val);
 
     return 0;
diff --git a/xlators/protocol/server/src/server-rpc-fops_v2.c b/xlators/protocol/server/src/server-rpc-fops_v2.c
index 21df9021c66..f921a22df86 100644
--- a/xlators/protocol/server/src/server-rpc-fops_v2.c
+++ b/xlators/protocol/server/src/server-rpc-fops_v2.c
@@ -5944,6 +5944,11 @@ server4_compound_cbk(call_frame_t *frame, void *cookie, xlator_t *this,
 
     /* TODO: I assume a single 10MB payload is large, if not, we need to
        agree to valid payload */
+    if (!args_cbk) {
+        op_ret = -1;
+        goto out;
+    }
+
     if ((args_cbk->fop_length <= 0) ||
         ((args_cbk->fop_length > (10 * 1024 * 1024)))) {
         op_ret = -1;
@@ -5978,8 +5983,8 @@ out:
 
     server_submit_reply(frame, req, &rsp, NULL, 0, NULL,
                         (xdrproc_t)xdr_gfx_compound_rsp);
-
-    server_compound_rsp_cleanup_v2(&rsp, args_cbk);
+    if (args_cbk)
+        server_compound_rsp_cleanup_v2(&rsp, args_cbk);
     GF_FREE(rsp.xdata.pairs.pairs_val);
 
     return 0;
-- 
cgit