diff options
author | Martin Schwenke <martin@meltin.net> | 2016-07-20 14:41:13 +1000 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-07-20 21:27:17 +0200 |
commit | fac60e58847187fa91136aedb87ee5e32adf6cd3 (patch) | |
tree | 242a32a3288b8ee80dd35330a50aadbc2b494284 /ctdb/client | |
parent | 5f57bcc01d973516beaedfbd2c1ef552322e4779 (diff) | |
download | samba-fac60e58847187fa91136aedb87ee5e32adf6cd3.tar.gz |
ctdb-client: Fix access after free error
State is stolen onto tmp_ctx above so can't be referenced after
tmp_ctx is freed. So, state->status has to be looked at earlier.
Moving it immediately before the talloc_free(tmp_ctx) isn't sufficient
because invoking the callback appears to cause a recursive call to
ctdb_control_recv(), which also frees state.
Referencing it at the top seems safe.
==23982== Invalid read of size 4
==23982== at 0x4204AE: ctdb_control_recv (ctdb_client.c:1181)
==23982== by 0x420645: invoke_control_callback (ctdb_client.c:971)
==23982== by 0x5E675EC: tevent_common_loop_timer_delay (tevent_timed.c:341)
==23982== by 0x5E68639: epoll_event_loop_once (tevent_epoll.c:911)
==23982== by 0x5E66BD6: std_event_loop_once (tevent_standard.c:114)
==23982== by 0x5E622EC: _tevent_loop_once (tevent.c:533)
==23982== by 0x4255F7: ctdb_client_async_wait (ctdb_client.c:3385)
==23982== by 0x42578A: ctdb_client_async_control (ctdb_client.c:3442)
==23982== by 0x41B405: ctdb_get_nodes_files (ctdb.c:5488)
==23982== by 0x41B405: check_all_node_files_are_identical (ctdb.c:5530)
==23982== by 0x41B405: control_reload_nodes_file (ctdb.c:5673)
==23982== by 0x404DBA: main (ctdb.c:6008)
==23982== Address 0x7e98d9c is 108 bytes inside a block of size 168 free'd
==23982== at 0x4C2CDFB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23982== by 0x5652692: _tc_free_internal (talloc.c:1125)
==23982== by 0x5652692: _tc_free_children_internal (talloc.c:1570)
==23982== by 0x564B952: _tc_free_internal (talloc.c:1081)
==23982== by 0x564B952: _talloc_free_internal (talloc.c:1151)
==23982== by 0x564B952: _talloc_free (talloc.c:1693)
==23982== by 0x4204C9: ctdb_control_recv (ctdb_client.c:1182)
==23982== by 0x4207AA: async_callback (ctdb_client.c:3350)
==23982== by 0x4204AD: ctdb_control_recv (ctdb_client.c:1179)
==23982== by 0x420645: invoke_control_callback (ctdb_client.c:971)
==23982== by 0x5E675EC: tevent_common_loop_timer_delay (tevent_timed.c:341)
==23982== by 0x5E68639: epoll_event_loop_once (tevent_epoll.c:911)
==23982== by 0x5E66BD6: std_event_loop_once (tevent_standard.c:114)
==23982== by 0x5E622EC: _tevent_loop_once (tevent.c:533)
==23982== by 0x4255F7: ctdb_client_async_wait (ctdb_client.c:3385)
==23982== Block was alloc'd at
==23982== at 0x4C2BBCF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23982== by 0x564DBEC: __talloc_with_prefix (talloc.c:675)
==23982== by 0x564DBEC: __talloc (talloc.c:716)
==23982== by 0x564DBEC: _talloc_named_const (talloc.c:873)
==23982== by 0x564DBEC: _talloc_zero (talloc.c:2318)
==23982== by 0x42017F: ctdb_control_send (ctdb_client.c:1086)
==23982== by 0x425746: ctdb_client_async_control (ctdb_client.c:3431)
==23982== by 0x41B405: ctdb_get_nodes_files (ctdb.c:5488)
==23982== by 0x41B405: check_all_node_files_are_identical (ctdb.c:5530)
==23982== by 0x41B405: control_reload_nodes_file (ctdb.c:5673)
==23982== by 0x404DBA: main (ctdb.c:6008)
==23982==
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'ctdb/client')
-rw-r--r-- | ctdb/client/ctdb_client.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ctdb/client/ctdb_client.c b/ctdb/client/ctdb_client.c index 19502be1841..6748e692a62 100644 --- a/ctdb/client/ctdb_client.c +++ b/ctdb/client/ctdb_client.c @@ -1170,6 +1170,7 @@ int ctdb_control_recv(struct ctdb_context *ctdb, } if (state->errormsg) { + int s = (state->status == 0 ? -1 : state->status); DEBUG(DEBUG_ERR,("ctdb_control error: '%s'\n", state->errormsg)); if (errormsg) { (*errormsg) = talloc_move(mem_ctx, &state->errormsg); @@ -1178,7 +1179,7 @@ int ctdb_control_recv(struct ctdb_context *ctdb, state->async.fn(state); } talloc_free(tmp_ctx); - return (state->status == 0 ? -1 : state->status); + return s; } if (outdata) { |