1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/ctdb
Martin Schwenke fac60e5884 ctdb-client: Fix access after free error
State is stolen onto tmp_ctx above so can't be referenced after
tmp_ctx is freed.  So, state->status has to be looked at earlier.

Moving it immediately before the talloc_free(tmp_ctx) isn't sufficient
because invoking the callback appears to cause a recursive call to
ctdb_control_recv(), which also frees state.

Referencing it at the top seems safe.

==23982== Invalid read of size 4
==23982==    at 0x4204AE: ctdb_control_recv (ctdb_client.c:1181)
==23982==    by 0x420645: invoke_control_callback (ctdb_client.c:971)
==23982==    by 0x5E675EC: tevent_common_loop_timer_delay (tevent_timed.c:341)
==23982==    by 0x5E68639: epoll_event_loop_once (tevent_epoll.c:911)
==23982==    by 0x5E66BD6: std_event_loop_once (tevent_standard.c:114)
==23982==    by 0x5E622EC: _tevent_loop_once (tevent.c:533)
==23982==    by 0x4255F7: ctdb_client_async_wait (ctdb_client.c:3385)
==23982==    by 0x42578A: ctdb_client_async_control (ctdb_client.c:3442)
==23982==    by 0x41B405: ctdb_get_nodes_files (ctdb.c:5488)
==23982==    by 0x41B405: check_all_node_files_are_identical (ctdb.c:5530)
==23982==    by 0x41B405: control_reload_nodes_file (ctdb.c:5673)
==23982==    by 0x404DBA: main (ctdb.c:6008)
==23982==  Address 0x7e98d9c is 108 bytes inside a block of size 168 free'd
==23982==    at 0x4C2CDFB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23982==    by 0x5652692: _tc_free_internal (talloc.c:1125)
==23982==    by 0x5652692: _tc_free_children_internal (talloc.c:1570)
==23982==    by 0x564B952: _tc_free_internal (talloc.c:1081)
==23982==    by 0x564B952: _talloc_free_internal (talloc.c:1151)
==23982==    by 0x564B952: _talloc_free (talloc.c:1693)
==23982==    by 0x4204C9: ctdb_control_recv (ctdb_client.c:1182)
==23982==    by 0x4207AA: async_callback (ctdb_client.c:3350)
==23982==    by 0x4204AD: ctdb_control_recv (ctdb_client.c:1179)
==23982==    by 0x420645: invoke_control_callback (ctdb_client.c:971)
==23982==    by 0x5E675EC: tevent_common_loop_timer_delay (tevent_timed.c:341)
==23982==    by 0x5E68639: epoll_event_loop_once (tevent_epoll.c:911)
==23982==    by 0x5E66BD6: std_event_loop_once (tevent_standard.c:114)
==23982==    by 0x5E622EC: _tevent_loop_once (tevent.c:533)
==23982==    by 0x4255F7: ctdb_client_async_wait (ctdb_client.c:3385)
==23982==  Block was alloc'd at
==23982==    at 0x4C2BBCF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23982==    by 0x564DBEC: __talloc_with_prefix (talloc.c:675)
==23982==    by 0x564DBEC: __talloc (talloc.c:716)
==23982==    by 0x564DBEC: _talloc_named_const (talloc.c:873)
==23982==    by 0x564DBEC: _talloc_zero (talloc.c:2318)
==23982==    by 0x42017F: ctdb_control_send (ctdb_client.c:1086)
==23982==    by 0x425746: ctdb_client_async_control (ctdb_client.c:3431)
==23982==    by 0x41B405: ctdb_get_nodes_files (ctdb.c:5488)
==23982==    by 0x41B405: check_all_node_files_are_identical (ctdb.c:5530)
==23982==    by 0x41B405: control_reload_nodes_file (ctdb.c:5673)
==23982==    by 0x404DBA: main (ctdb.c:6008)
==23982==

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-07-20 21:27:17 +02:00
..
client ctdb-client: Fix access after free error 2016-07-20 21:27:17 +02:00
common ctdb-system: Remove duplicate functions 2016-06-08 10:33:19 +02:00
config ctdb-scripts: Quote some variable expansions 2016-07-06 08:15:49 +02:00
doc ctdb-scripts: Add new configuration variable CTDB_NOSETSCHED 2016-06-20 16:21:19 +02:00
ib ctdb-ib: Include system/wait.h for signal 2016-07-05 10:53:15 +02:00
include ctdb-ipalloc: Don't build a global IP tree 2016-07-04 15:42:25 +02:00
packaging ctdb-scripts: Add eventscript 06.nfs 2016-06-08 10:33:19 +02:00
protocol ctdb-protocol: Add checks to validate data on wire before unmarshaling 2016-06-18 19:33:14 +02:00
server ctdb-daemon: Log ctdb socket in the main daemon 2016-07-05 10:53:15 +02:00
tcp ctdb-daemon: Use lib/util functions instead of redefinitions 2016-06-08 10:33:19 +02:00
tests ctdb-tests: Link to ctdb-ipalloc instead of using ctdbd_test.c 2016-07-04 19:29:08 +02:00
tools ctdb-tools: Don't bother sending CTDB_SRVID_RECD_UPDATE_IP 2016-07-04 15:42:24 +02:00
utils ctdb-pmda: CTDB client code does not require ctdb->methods 2016-07-05 10:53:15 +02:00
web docs: Fix an outdated remark, tdbsam is default 2016-05-03 08:08:31 +02:00
.bzrignore more code rearrangement 2007-06-07 22:16:48 +10:00
.gitignore git: Ignore generated documentation files 2013-10-22 13:07:13 +11:00
configure ctdb-build: Allow configure and Makefile to find waf in tarball 2014-09-10 01:36:14 +02:00
configure.rpm ctdb-packaging: Package private libraries 2015-07-01 07:19:43 +02:00
COPYING add a licence file 2009-02-07 08:10:34 +11:00
Makefile ctdb-build: Allow configure and Makefile to find waf in tarball 2014-09-10 01:36:14 +02:00
README doc: README - add information about CTDB, license and website 2012-10-22 17:39:49 +11:00
wscript ctdb: fix autotest with socket-wrapper installed in the system 2016-07-11 15:53:30 +02:00

This is the release version of CTDB, a clustered implementation of TDB
database used by Samba and other projects to store temporary data.

This software is freely distributable under the GNU public license,
a copy of which you should have received with this software (in a file
called COPYING).

For documentation on CTDB, please visit CTDB website http://ctdb.samba.org.