|
|
cb8e9e |
From 6c524781cef0e6b00f4602da4ac7a4e03891997c Mon Sep 17 00:00:00 2001
|
|
|
cb8e9e |
From: Jiffin Tony Thottan <jthottan@redhat.com>
|
|
|
cb8e9e |
Date: Fri, 10 Jul 2015 23:12:28 +0530
|
|
|
cb8e9e |
Subject: [PATCH 234/234] features/posix : Avoid double free of a variable in posix_setxattr()
|
|
|
cb8e9e |
|
|
|
cb8e9e |
The buffer acl_xattr is introduced in posix_setxattr() as part of
|
|
|
cb8e9e |
http://review.gluster.org/#/c/11519/. This variable can be freed
|
|
|
cb8e9e |
twice in the code path , one in dict_unref() and another by explicit
|
|
|
cb8e9e |
GF_FREE() call in the code. This patch avoids the same.
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Backport of http://review.gluster.org/#/c/11627/
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Upstream reference
|
|
|
cb8e9e |
>Change-Id: I31c6384e37ab8d8baaed7a53de668c2eb5d82338
|
|
|
cb8e9e |
>BUG: 1242030
|
|
|
cb8e9e |
>Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Change-Id: I4c4156575602a9a5c41a34cfc8f92e1e249538ea
|
|
|
cb8e9e |
BUG: 1241839
|
|
|
cb8e9e |
Signed-off-by: Jiffin Tony Thottan <jthottan@redhat.com>
|
|
|
cb8e9e |
Reviewed-on: https://code.engineering.redhat.com/gerrit/52816
|
|
|
cb8e9e |
Reviewed-by: Kaleb Keithley <kkeithle@redhat.com>
|
|
|
cb8e9e |
Tested-by: Kaleb Keithley <kkeithle@redhat.com>
|
|
|
cb8e9e |
---
|
|
|
cb8e9e |
xlators/storage/posix/src/posix.c | 48 ++++++++++++++++++------------------
|
|
|
cb8e9e |
1 files changed, 24 insertions(+), 24 deletions(-)
|
|
|
cb8e9e |
|
|
|
cb8e9e |
diff --git a/xlators/storage/posix/src/posix.c b/xlators/storage/posix/src/posix.c
|
|
|
cb8e9e |
index 27c3457..58f68eb 100644
|
|
|
cb8e9e |
--- a/xlators/storage/posix/src/posix.c
|
|
|
cb8e9e |
+++ b/xlators/storage/posix/src/posix.c
|
|
|
cb8e9e |
@@ -3322,10 +3322,8 @@ posix_setxattr (call_frame_t *frame, xlator_t *this,
|
|
|
cb8e9e |
* reduced into required size using GF_REALLO().
|
|
|
cb8e9e |
*/
|
|
|
cb8e9e |
acl_xattr = GF_CALLOC (1, ACL_BUFFER_MAX, gf_posix_mt_char);
|
|
|
cb8e9e |
- if (!acl_xattr) {
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
+ if (!acl_xattr)
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
- }
|
|
|
cb8e9e |
|
|
|
cb8e9e |
acl_size = sys_lgetxattr (real_path, POSIX_ACL_ACCESS_XATTR,
|
|
|
cb8e9e |
acl_xattr, ACL_BUFFER_MAX);
|
|
|
cb8e9e |
@@ -3334,7 +3332,6 @@ posix_setxattr (call_frame_t *frame, xlator_t *this,
|
|
|
cb8e9e |
gf_msg (this->name, GF_LOG_WARNING, errno,
|
|
|
cb8e9e |
P_MSG_XATTR_FAILED, "Posix acl is not set "
|
|
|
cb8e9e |
"properly at the backend");
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
|
|
|
cb8e9e |
@@ -3343,32 +3340,33 @@ posix_setxattr (call_frame_t *frame, xlator_t *this,
|
|
|
cb8e9e |
gf_msg (this->name, GF_LOG_WARNING, ENOMEM,
|
|
|
cb8e9e |
P_MSG_BUFFER_OVERFLOW, "size of acl is more"
|
|
|
cb8e9e |
"than the buffer");
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
|
|
|
cb8e9e |
acl_xattr = GF_REALLOC (acl_xattr, acl_size);
|
|
|
cb8e9e |
+ if (!acl_xattr)
|
|
|
cb8e9e |
+ goto out;
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
ret = dict_set_bin (xattr, POSIX_ACL_ACCESS_XATTR,
|
|
|
cb8e9e |
acl_xattr, acl_size);
|
|
|
cb8e9e |
- if (ret) {
|
|
|
cb8e9e |
+ if (ret)
|
|
|
cb8e9e |
gf_msg (this->name, GF_LOG_WARNING, 0,
|
|
|
cb8e9e |
P_MSG_SET_XDATA_FAIL, "failed to set"
|
|
|
cb8e9e |
"xdata for acl");
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
- goto out;
|
|
|
cb8e9e |
- }
|
|
|
cb8e9e |
- }
|
|
|
cb8e9e |
|
|
|
cb8e9e |
- GF_FREE (acl_xattr);
|
|
|
cb8e9e |
- acl_xattr = NULL;
|
|
|
cb8e9e |
+ /*
|
|
|
cb8e9e |
+ * dict_unref() will call GF_FREE() indirectly, so to avoid
|
|
|
cb8e9e |
+ * double freeing acl_xattr in out, just set it as NULL here
|
|
|
cb8e9e |
+ */
|
|
|
cb8e9e |
+ acl_xattr = NULL;
|
|
|
cb8e9e |
+ }
|
|
|
cb8e9e |
|
|
|
cb8e9e |
if (dict_get (dict, GF_POSIX_ACL_DEFAULT)) {
|
|
|
cb8e9e |
|
|
|
cb8e9e |
acl_xattr = GF_CALLOC (1, ACL_BUFFER_MAX, gf_posix_mt_char);
|
|
|
cb8e9e |
- if (!acl_xattr) {
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
+ if (!acl_xattr)
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
- }
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
acl_size = sys_lgetxattr (real_path, POSIX_ACL_DEFAULT_XATTR,
|
|
|
cb8e9e |
acl_xattr, ACL_BUFFER_MAX);
|
|
|
cb8e9e |
|
|
|
cb8e9e |
@@ -3376,7 +3374,6 @@ posix_setxattr (call_frame_t *frame, xlator_t *this,
|
|
|
cb8e9e |
gf_msg (this->name, GF_LOG_WARNING, errno,
|
|
|
cb8e9e |
P_MSG_XATTR_FAILED, "Posix acl is not set "
|
|
|
cb8e9e |
"properly at the backend");
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
|
|
|
cb8e9e |
@@ -3384,20 +3381,25 @@ posix_setxattr (call_frame_t *frame, xlator_t *this,
|
|
|
cb8e9e |
gf_msg (this->name, GF_LOG_WARNING, ENOMEM,
|
|
|
cb8e9e |
P_MSG_BUFFER_OVERFLOW, "size of acl is more"
|
|
|
cb8e9e |
"than the buffer");
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
goto out;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
|
|
|
cb8e9e |
acl_xattr = GF_REALLOC (acl_xattr, acl_size);
|
|
|
cb8e9e |
+ if (!acl_xattr)
|
|
|
cb8e9e |
+ goto out;
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
ret = dict_set_bin (xattr, POSIX_ACL_DEFAULT_XATTR,
|
|
|
cb8e9e |
acl_xattr, acl_size);
|
|
|
cb8e9e |
- if (ret) {
|
|
|
cb8e9e |
+ if (ret)
|
|
|
cb8e9e |
gf_msg (this->name, GF_LOG_WARNING, 0,
|
|
|
cb8e9e |
P_MSG_SET_XDATA_FAIL, "failed to set"
|
|
|
cb8e9e |
"xdata for acl");
|
|
|
cb8e9e |
- ret = -1;
|
|
|
cb8e9e |
- goto out;
|
|
|
cb8e9e |
- }
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
+ /*
|
|
|
cb8e9e |
+ * dict_unref() will call GF_FREE() indirectly, so to avoid
|
|
|
cb8e9e |
+ * double freeing acl_xattr in out, just set it as NULL here
|
|
|
cb8e9e |
+ */
|
|
|
cb8e9e |
+ acl_xattr = NULL;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
out:
|
|
|
cb8e9e |
SET_TO_OLD_FS_ID ();
|
|
|
cb8e9e |
@@ -3406,9 +3408,7 @@ out:
|
|
|
cb8e9e |
|
|
|
cb8e9e |
if (xattr)
|
|
|
cb8e9e |
dict_unref(xattr);
|
|
|
cb8e9e |
-
|
|
|
cb8e9e |
- if (acl_xattr)
|
|
|
cb8e9e |
- GF_FREE (acl_xattr);
|
|
|
cb8e9e |
+ GF_FREE (acl_xattr);
|
|
|
cb8e9e |
|
|
|
cb8e9e |
return 0;
|
|
|
cb8e9e |
}
|
|
|
cb8e9e |
--
|
|
|
cb8e9e |
1.7.1
|
|
|
cb8e9e |
|