[SCM] Samba Shared Repository - branch master updated

Sat, 05 Mar 2016 00:09:57 -0800 

The branch, master has been updated
       via  9ee4678 vfs_glusterfs: Fix use after free in AIO callback.
      from  58d3462 source3: Honor the core soft limit of the OS.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9ee4678b8d92a8ab4ea9a4ff80b2da6bd3da5a16
Author: Ira Cooper <[email protected]>
Date:   Fri Mar 4 18:00:07 2016 -0500

    vfs_glusterfs: Fix use after free in AIO callback.
    
    The wrapper->state pointer is not getting NULLed during free
    allowing use of freed memory, causing a crash.
    
    Thanks to Red Hat for discovering this issue.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774
    
    Signed-off-by: Ira Copper <[email protected]>
    Reviewed-by: Poornima G <[email protected]>
    Tested-by: Christopher Blum <[email protected]>
    Reviewed-by: Jeremy Allison <[email protected]>
    
    Autobuild-User(master): Jeremy Allison <[email protected]>
    Autobuild-Date(master): Sat Mar  5 09:08:53 CET 2016 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
 source3/modules/vfs_glusterfs.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index c98e480..2008342 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -507,7 +507,9 @@ struct glusterfs_aio_state {
 
 static int aio_wrapper_destructor(struct glusterfs_aio_wrapper *wrap)
 {
-       wrap->state->cancelled = true;
+       if (wrap->state != NULL) {
+               wrap->state->cancelled = true;
+       }
 
        return 0;
 }
@@ -744,7 +746,6 @@ static struct tevent_req *vfs_gluster_pwrite_send(struct 
vfs_handle_struct
 static ssize_t vfs_gluster_recv(struct tevent_req *req,
                                struct vfs_aio_state *vfs_aio_state)
 {
-       struct glusterfs_aio_state *state = NULL;
        struct glusterfs_aio_wrapper *wrapper = NULL;
        int ret = 0;
 
@@ -754,9 +755,7 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
                return -1;
        }
 
-       state = wrapper->state;
-
-       if (state == NULL) {
+       if (wrapper->state == NULL) {
                return -1;
        }
 
@@ -764,12 +763,12 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
                return -1;
        }
 
-       *vfs_aio_state = state->vfs_aio_state;
-       ret = state->ret;
+       *vfs_aio_state = wrapper->state->vfs_aio_state;
+       ret = wrapper->state->ret;
 
        /* Clean up the state, it is in a NULL context. */
 
-       TALLOC_FREE(state);
+       TALLOC_FREE(wrapper->state);
 
        return ret;
 }


-- 
Samba Shared Repository

Reply via email to