From 029a7e5c1908f53cc4411a8d6cbf6a4e2b207879 Mon Sep 17 00:00:00 2001 From: Kinglong Mee Date: Thu, 18 Oct 2018 17:46:26 +0800 Subject: dht: fix use after free in dht_rmdir_readdirp_cbk The frame is freed when linkfile exist in dht_rmdir_is_subvol_empty(), the following message use the freed local. Change-Id: I41191e8bd477f031a2444d5f15e578dc4f086e6b Updates: bz#1640489 Signed-off-by: Kinglong Mee --- xlators/cluster/dht/src/dht-common.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'xlators') diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c index 808b4ceb6e5..6947d21a1ec 100644 --- a/xlators/cluster/dht/src/dht-common.c +++ b/xlators/cluster/dht/src/dht-common.c @@ -10066,12 +10066,18 @@ dht_rmdir_readdirp_cbk(call_frame_t *frame, void *cookie, xlator_t *this, xlator_t *prev = NULL; xlator_t *src = NULL; int ret = 0; + char *path = NULL; local = frame->local; prev = cookie; src = prev; if (op_ret > 2) { + /* dht_rmdir_is_subvol_empty() may free the frame, + * copy path for logging. + */ + path = gf_strdup(local->loc.path); + ret = dht_rmdir_is_subvol_empty(frame, this, entries, src); switch (ret) { @@ -10082,25 +10088,22 @@ dht_rmdir_readdirp_cbk(call_frame_t *frame, void *cookie, xlator_t *this, prev->name, local->loc.path, op_ret); local->op_ret = -1; local->op_errno = ENOTEMPTY; - goto done; + break; default: /* @ret number of linkfiles are getting unlinked */ gf_msg_trace(this->name, 0, "readdir on %s for %s found %d " "linkfiles", - prev->name, local->loc.path, ret); + prev->name, path, ret); break; } } - if (ret) { - return 0; - } - -done: /* readdirp failed or no linkto files were found on this subvol */ + if (!ret) + dht_rmdir_readdirp_done(frame, this); - dht_rmdir_readdirp_done(frame, this); + GF_FREE(path); return 0; } -- cgit