From a97ea63aaf4ee79bd6bb9759840fdaa43f37534c Mon Sep 17 00:00:00 2001
From: Pranith Kumar K <pkarampu@redhat.com>
Date: Sun, 6 Dec 2015 22:05:54 +0530
Subject: mount/fuse: Fix use-after-free crash

       Backport of http://review.gluster.com/12886

fouh->len is accessed after 'node' is freed. Also 'rv' is int where as
fouh->len is uint32, changed comparison to ssize_t variables.

BUG: 1288922
Change-Id: Ib5e22ce56a022740fcc09ce430ff1de31a8a45d6
Signed-off-by: Pranith Kumar K <pkarampu@redhat.com>
Reviewed-on: http://review.gluster.org/12887
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
---
 xlators/mount/fuse/src/fuse-bridge.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'xlators')

diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
index 525e7605a45..6735ae464c6 100644
--- a/xlators/mount/fuse/src/fuse-bridge.c
+++ b/xlators/mount/fuse/src/fuse-bridge.c
@@ -3839,7 +3839,8 @@ notify_kernel_loop (void *data)
         xlator_t               *this = NULL;
         fuse_private_t         *priv = NULL;
         struct fuse_out_header *fouh = NULL;
-        int                     rv   = 0;
+        ssize_t                 rv   = 0;
+        ssize_t                 len  = 0;
         fuse_invalidate_node_t *node = NULL;
 
         this = data;
@@ -3865,17 +3866,18 @@ notify_kernel_loop (void *data)
 
                 fouh = (struct fuse_out_header *)node->inval_buf;
 
+                len = fouh->len;
                 rv = write (priv->fd, node->inval_buf, fouh->len);
 
-                GF_FREE (node);
-
-                if (rv != fouh->len && !(rv == -1 && errno == ENOENT))
+                if (rv != len && !(rv == -1 && errno == ENOENT))
                         break;
+                GF_FREE (node);
         }
 
         gf_log ("glusterfs-fuse", GF_LOG_INFO,
                 "kernel notifier loop terminated");
 
+        GF_FREE (node);
         return NULL;
 }
 #endif
-- 
cgit