From cf7c4b7c4f1eecd168c39466755e4434dd8e24e6 Mon Sep 17 00:00:00 2001 From: Ira Cooper Date: Fri, 4 Mar 2016 08:01:25 -0500 Subject: [PATCH] vfs_glusterfs: Fix use after free in AIO callback. The wrapper->state pointer is not getting NULLed during free allowing us to do a use after free. Thanks to Red Hat for discovering this issue. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774 Signed-off-by: Ira Copper Reviewed-by: Poornima G Tested-by: Christopher Blum Reviewed-by: Jeremy Allison --- source3/modules/vfs_glusterfs.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c index 427b985..84530a8 100644 --- a/source3/modules/vfs_glusterfs.c +++ b/source3/modules/vfs_glusterfs.c @@ -503,7 +503,9 @@ struct glusterfs_aio_state { static int aio_wrapper_destructor(struct glusterfs_aio_wrapper *wrap) { - wrap->state->cancelled = true; + if (wrap->state != NULL) { + wrap->state->cancelled = true; + } return 0; } @@ -736,7 +738,6 @@ static struct tevent_req *vfs_gluster_pwrite_send(struct vfs_handle_struct static ssize_t vfs_gluster_recv(struct tevent_req *req, int *err) { - struct glusterfs_aio_state *state = NULL; struct glusterfs_aio_wrapper *wrapper = NULL; int ret = 0; @@ -746,24 +747,22 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req, int *err) return -1; } - state = wrapper->state; - - if (state == NULL) { + if (wrapper->state == NULL) { return -1; } if (tevent_req_is_unix_error(req, err)) { return -1; } - if (state->ret == -1) { - *err = state->err; + if (wrapper->state->ret == -1) { + *err = wrapper->state->err; } - ret = state->ret; + ret = wrapper->state->ret; /* Clean up the state, it is in a NULL context. */ - TALLOC_FREE(state); + TALLOC_FREE(wrapper->state); return ret; } -- 2.5.0