From d10bd788fada54ad095e19b5aedf949e23fdabb2 Mon Sep 17 00:00:00 2001
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Wed, 8 Apr 2015 10:49:07 +0200
Subject: crypt xlator: Fix memory coruption after free

crypt xlator allocated local memory through mem_get0(), but code called
through STACK_DESTROY()/FRAME_DESTROY() does not expect memory to be
allocated that way: it will use GF_FREE() even for data allocated by
mem_get0(), which should be given the mem_put() treatment. As a result,
allocating using mem_get0(), while relying on FRAME_DESTROY() cleanup
led to memory corruption.

Using GF_CALLOC() instead of mem_get0() sets memory allocation on par
with cleanup code, and crypt.t can pass on NetBSD.

The initial patch was crafted by Raghavendra Talur.

BUG: 1129939
Change-Id: Ib71b4b57f8d1bb782f950e3c8fa74a4f7e10946e
Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
Reviewed-on: http://review.gluster.org/10109
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Kaleb KEITHLEY <kkeithle@redhat.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
---
 xlators/encryption/crypt/src/crypt-mem-types.h | 1 +
 xlators/encryption/crypt/src/crypt.c           | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/xlators/encryption/crypt/src/crypt-mem-types.h b/xlators/encryption/crypt/src/crypt-mem-types.h
index 2eab921fcba..1954c579423 100644
--- a/xlators/encryption/crypt/src/crypt-mem-types.h
+++ b/xlators/encryption/crypt/src/crypt-mem-types.h
@@ -24,6 +24,7 @@ enum gf_crypt_mem_types_ {
 	gf_crypt_mt_key,
 	gf_crypt_mt_iovec,
 	gf_crypt_mt_char,
+	gf_crypt_mt_local,
 	gf_crypt_mt_end,
 };
 
diff --git a/xlators/encryption/crypt/src/crypt.c b/xlators/encryption/crypt/src/crypt.c
index 2c296061ff7..5387f84303c 100644
--- a/xlators/encryption/crypt/src/crypt.c
+++ b/xlators/encryption/crypt/src/crypt.c
@@ -48,7 +48,7 @@ static crypt_local_t *crypt_alloc_local(call_frame_t *frame, xlator_t *this,
 {
 	crypt_local_t *local = NULL;
 
-	local = mem_get0(this->local_pool);
+	local = GF_CALLOC (1, sizeof (*local), gf_crypt_mt_local);
 	if (!local) {
 		gf_log(this->name, GF_LOG_ERROR, "out of memory");
 		return NULL;
-- 
cgit