[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Sat Mar 5 08:09:03 UTC 2016
The branch, master has been updated
via 9ee4678 vfs_glusterfs: Fix use after free in AIO callback.
from 58d3462 source3: Honor the core soft limit of the OS.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9ee4678b8d92a8ab4ea9a4ff80b2da6bd3da5a16
Author: Ira Cooper <ira at samba.org>
Date: Fri Mar 4 18:00:07 2016 -0500
vfs_glusterfs: Fix use after free in AIO callback.
The wrapper->state pointer is not getting NULLed during free
allowing use of freed memory, causing a crash.
Thanks to Red Hat for discovering this issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774
Signed-off-by: Ira Copper <ira at samba.org>
Reviewed-by: Poornima G <pgurusid at redhat.com>
Tested-by: Christopher Blum <cblum at redhat.com>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Mar 5 09:08:53 CET 2016 on sn-devel-144
-----------------------------------------------------------------------
Summary of changes:
source3/modules/vfs_glusterfs.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index c98e480..2008342 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -507,7 +507,9 @@ struct glusterfs_aio_state {
static int aio_wrapper_destructor(struct glusterfs_aio_wrapper *wrap)
{
- wrap->state->cancelled = true;
+ if (wrap->state != NULL) {
+ wrap->state->cancelled = true;
+ }
return 0;
}
@@ -744,7 +746,6 @@ static struct tevent_req *vfs_gluster_pwrite_send(struct vfs_handle_struct
static ssize_t vfs_gluster_recv(struct tevent_req *req,
struct vfs_aio_state *vfs_aio_state)
{
- struct glusterfs_aio_state *state = NULL;
struct glusterfs_aio_wrapper *wrapper = NULL;
int ret = 0;
@@ -754,9 +755,7 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
return -1;
}
- state = wrapper->state;
-
- if (state == NULL) {
+ if (wrapper->state == NULL) {
return -1;
}
@@ -764,12 +763,12 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
return -1;
}
- *vfs_aio_state = state->vfs_aio_state;
- ret = state->ret;
+ *vfs_aio_state = wrapper->state->vfs_aio_state;
+ ret = wrapper->state->ret;
/* Clean up the state, it is in a NULL context. */
- TALLOC_FREE(state);
+ TALLOC_FREE(wrapper->state);
return ret;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list