[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Sat Mar 5 08:09:03 UTC 2016


The branch, master has been updated
       via  9ee4678 vfs_glusterfs: Fix use after free in AIO callback.
      from  58d3462 source3: Honor the core soft limit of the OS.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9ee4678b8d92a8ab4ea9a4ff80b2da6bd3da5a16
Author: Ira Cooper <ira at samba.org>
Date:   Fri Mar 4 18:00:07 2016 -0500

    vfs_glusterfs: Fix use after free in AIO callback.
    
    The wrapper->state pointer is not getting NULLed during free
    allowing use of freed memory, causing a crash.
    
    Thanks to Red Hat for discovering this issue.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774
    
    Signed-off-by: Ira Copper <ira at samba.org>
    Reviewed-by: Poornima G <pgurusid at redhat.com>
    Tested-by: Christopher Blum <cblum at redhat.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Mar  5 09:08:53 CET 2016 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
 source3/modules/vfs_glusterfs.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index c98e480..2008342 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -507,7 +507,9 @@ struct glusterfs_aio_state {
 
 static int aio_wrapper_destructor(struct glusterfs_aio_wrapper *wrap)
 {
-	wrap->state->cancelled = true;
+	if (wrap->state != NULL) {
+		wrap->state->cancelled = true;
+	}
 
 	return 0;
 }
@@ -744,7 +746,6 @@ static struct tevent_req *vfs_gluster_pwrite_send(struct vfs_handle_struct
 static ssize_t vfs_gluster_recv(struct tevent_req *req,
 				struct vfs_aio_state *vfs_aio_state)
 {
-	struct glusterfs_aio_state *state = NULL;
 	struct glusterfs_aio_wrapper *wrapper = NULL;
 	int ret = 0;
 
@@ -754,9 +755,7 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
 		return -1;
 	}
 
-	state = wrapper->state;
-
-	if (state == NULL) {
+	if (wrapper->state == NULL) {
 		return -1;
 	}
 
@@ -764,12 +763,12 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
 		return -1;
 	}
 
-	*vfs_aio_state = state->vfs_aio_state;
-	ret = state->ret;
+	*vfs_aio_state = wrapper->state->vfs_aio_state;
+	ret = wrapper->state->ret;
 
 	/* Clean up the state, it is in a NULL context. */
 
-	TALLOC_FREE(state);
+	TALLOC_FREE(wrapper->state);
 
 	return ret;
 }


-- 
Samba Shared Repository



More information about the samba-cvs mailing list