stripe: fix use-after-free

Pretty much a classic case. STRIPE_STACK_UNWIND frees the "local" structure. In the "virtual xattr" path, used for lock recovery among other things, we were calling STRIPE_STACK_UNWIND and then continuing to clean up "our" parts of the just-freed structure. Oops. Change-Id: Ifa961b89cd21a2893de39a9eea243d184f9eac46 BUG: 1222317 Signed-off-by: Jeff Darcy <jdarcy@redhat.com> Reviewed-on: http://review.gluster.org/11037 Reviewed-by: Krishnan Parthasarathi <kparthas@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Tested-by: NetBSD Build System <jenkins@build.gluster.org> Reviewed-by: Niels de Vos <ndevos@redhat.com>
2015-06-01 15:21:00 -04:00 · 2015-06-01 15:21:00 -04:00 · 62992ac27d
commit 62992ac27d
parent 5a66d1e618
1 changed files with 10 additions and 4 deletions
--- a/xlators/cluster/stripe/src/stripe.c
+++ b/xlators/cluster/stripe/src/stripe.c
@ -5445,13 +5445,19 @@ stripe_vgetxattr_cbk (call_frame_t *frame, void *cookie,
                }

        unwind:
+                /*
+                 * Among other things, STRIPE_STACK_UNWIND will free "local"
+                 * for us.  That means we can't dereference it afterward.
+                 * Fortunately, the actual result is in stripe_xattr now, so we
+                 * can simply clean up before unwinding.
+                 */
+                ret = stripe_free_xattr_str (local);
+                GF_FREE (local->xattr_list);
+                local->xattr_list = NULL;
+
                STRIPE_STACK_UNWIND (getxattr, frame, op_ret, op_errno,
                                     stripe_xattr, NULL);

-                ret = stripe_free_xattr_str (local);
-
-                GF_FREE (local->xattr_list);
-
                if (stripe_xattr)
                        dict_unref (stripe_xattr);
        }