From 48de998d589350dafeb00bc6ecd22faa9f66b9da Mon Sep 17 00:00:00 2001
From: Pranith Kumar K <pkarampu@redhat.com>
Date: Fri, 24 Apr 2015 16:24:52 +0530
Subject: timer: Fix use after free issue

Change-Id: I056c9777b242a11af7f576ad19b2db93dbdf82d4
BUG: 1215117
Signed-off-by: Pranith Kumar K <pkarampu@redhat.com>
Reviewed-on: http://review.gluster.org/10367
Reviewed-by: Poornima G <pgurusid@redhat.com>
Tested-by: NetBSD Build System
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Vijay Bellur <vbellur@redhat.com>
---
 libglusterfs/src/timer.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'libglusterfs')

diff --git a/libglusterfs/src/timer.c b/libglusterfs/src/timer.c
index cc47db3b9e1..0d845cdeb38 100644
--- a/libglusterfs/src/timer.c
+++ b/libglusterfs/src/timer.c
@@ -176,12 +176,16 @@ gf_timer_proc (void *ctx)
                         }
                         pthread_mutex_unlock (&reg->lock);
                         if (need_cbk) {
+                                old_THIS = NULL;
                                 if (event->xl) {
                                         old_THIS = THIS;
                                         THIS = event->xl;
                                 }
                                 event->callbk (event->data);
-                                if (event->xl) {
+                                /*This callbk above would have freed the event
+                                 * by calling timer_cancel, don't ever touch it
+                                 * again*/
+                                if (old_THIS) {
                                         THIS = old_THIS;
                                 }
                         }
-- 
cgit