diff options
author | Pranith Kumar K <pkarampu@redhat.com> | 2015-12-06 22:05:54 +0530 |
---|---|---|
committer | Raghavendra G <rgowdapp@redhat.com> | 2015-12-06 20:57:37 -0800 |
commit | 05b510bb893761864d3830eb781210445056a6f9 (patch) | |
tree | 245fc4f51c2b40f613dd34b041febdfe441ade41 /xlators/mount/fuse | |
parent | 02d54bb750c5ad41b81881ce63dd756582aad543 (diff) |
mount/fuse: Fix use-after-free crash
fouh->len is accessed after 'node' is freed. Also 'rv' is int where as
fouh->len is uint32, changed comparison to ssize_t variables.
BUG: 1288857
Change-Id: Ied43d29e1e52719f9b52fe839cee31ce65711eea
Signed-off-by: Pranith Kumar K <pkarampu@redhat.com>
Reviewed-on: http://review.gluster.org/12886
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Raghavendra G <rgowdapp@redhat.com>
Diffstat (limited to 'xlators/mount/fuse')
-rw-r--r-- | xlators/mount/fuse/src/fuse-bridge.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c index 16dd5b5ea0d..dc4b934e97b 100644 --- a/xlators/mount/fuse/src/fuse-bridge.c +++ b/xlators/mount/fuse/src/fuse-bridge.c @@ -3842,7 +3842,8 @@ notify_kernel_loop (void *data) xlator_t *this = NULL; fuse_private_t *priv = NULL; struct fuse_out_header *fouh = NULL; - int rv = 0; + ssize_t rv = 0; + ssize_t len = 0; fuse_invalidate_node_t *node = NULL; this = data; @@ -3868,17 +3869,19 @@ notify_kernel_loop (void *data) fouh = (struct fuse_out_header *)node->inval_buf; + len = fouh->len; rv = sys_write (priv->fd, node->inval_buf, fouh->len); - GF_FREE (node); - if (rv != fouh->len && !(rv == -1 && errno == ENOENT)) + if (rv != len && !(rv == -1 && errno == ENOENT)) break; + GF_FREE (node); } gf_log ("glusterfs-fuse", GF_LOG_INFO, "kernel notifier loop terminated"); + GF_FREE (node); return NULL; } #endif |