summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEmmanuel Dreyfus <manu@netbsd.org>2014-08-20 10:50:35 +0200
committerKrishnan Parthasarathi <kparthas@redhat.com>2014-08-21 20:30:14 -0700
commit865d156d30498cd1bf4219ddbbb304d2ffd4aea0 (patch)
treed50ccf63514745a781caecb826eaba7fe5112e38
parentf83067f2a9fc5d85bbd985e14fcda07346371ec8 (diff)
Fix quotad RPC options use-after-free bug in gluster
In cli/src/cli.c:cli_quotad_clnt_rpc_init(), dict_unref (rpc_opts) causes the options to be freed while code in rpc/rpc-transport/socket still relies on it. The options are corrupted when memory is reallocated, which sometimes leads to a crashes on NetBSD when socket_connect() attempted to read options. Fix the problem by not doing the dict_unref(). Make sure the rpc_opts are freed on error, though. BUG: 1129939 Change-Id: If1d6ea50cc3e1599e9e369863c8db0c0694d3671 Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org> Reviewed-on: http://review.gluster.org/8502 Reviewed-by: Santosh Pradhan <spradhan@redhat.com> Reviewed-by: Niels de Vos <ndevos@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Raghavendra G <rgowdapp@redhat.com> Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com> Tested-by: Krishnan Parthasarathi <kparthas@redhat.com>
-rw-r--r--cli/src/cli.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/cli/src/cli.c b/cli/src/cli.c
index fa3c747d154..992f6a54321 100644
--- a/cli/src/cli.c
+++ b/cli/src/cli.c
@@ -553,7 +553,10 @@ cli_quotad_clnt_rpc_init (void)
global_quotad_rpc = rpc;
out:
- dict_unref (rpc_opts);
+ if (ret) {
+ if (rpc_opts)
+ dict_destroy(rpc_opts);
+ }
return rpc;
}