vfs_glusterfs: Fix use after free in AIO callback.

The wrapper->state pointer is not getting NULLed during free
allowing use of freed memory, causing a crash.

Thanks to Red Hat for discovering this issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774

Signed-off-by: Ira Copper <ira@samba.org>
Reviewed-by: Poornima G <pgurusid@redhat.com>
Tested-by: Christopher Blum <cblum@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  5 09:08:53 CET 2016 on sn-devel-144

1 files changed, 7 insertions, 8 deletions

diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index c98e48091fa..2008342229d 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -507,7 +507,9 @@ struct glusterfs_aio_state {
 
 static int aio_wrapper_destructor(struct glusterfs_aio_wrapper *wrap)
 {
-	wrap->state->cancelled = true;
+	if (wrap->state != NULL) {
+		wrap->state->cancelled = true;
+	}
 
 	return 0;
 }
@@ -744,7 +746,6 @@ static struct tevent_req *vfs_gluster_pwrite_send(struct vfs_handle_struct
 static ssize_t vfs_gluster_recv(struct tevent_req *req,
 				struct vfs_aio_state *vfs_aio_state)
 {
-	struct glusterfs_aio_state *state = NULL;
 	struct glusterfs_aio_wrapper *wrapper = NULL;
 	int ret = 0;
 
@@ -754,9 +755,7 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
 		return -1;
 	}
 
-	state = wrapper->state;
-
-	if (state == NULL) {
+	if (wrapper->state == NULL) {
 		return -1;
 	}
 
@@ -764,12 +763,12 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
 		return -1;
 	}
 
-	*vfs_aio_state = state->vfs_aio_state;
-	ret = state->ret;
+	*vfs_aio_state = wrapper->state->vfs_aio_state;
+	ret = wrapper->state->ret;
 
 	/* Clean up the state, it is in a NULL context. */
 
-	TALLOC_FREE(state);
+	TALLOC_FREE(wrapper->state);
 
 	return ret;
 }