The Samba-Bugzilla – Attachment 13887 Details for
Bug 13188
ctdb_recovery_helper crashes if recovery process times out
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-6
BZ13188-v4-6.patch (text/plain), 2.34 KB, created by
Amitay Isaacs
on 2017-12-22 19:34:58 UTC
(
hide
)
Description:
Patches for v4-6
Filename:
MIME Type:
Creator:
Amitay Isaacs
Created:
2017-12-22 19:34:58 UTC
Size:
2.34 KB
patch
obsolete
>From bbe22093322ad3d622eb9d3ea864cdfe252bfc8a Mon Sep 17 00:00:00 2001 >From: Amitay Isaacs <amitay@gmail.com> >Date: Wed, 13 Dec 2017 16:12:09 +1100 >Subject: [PATCH] ctdb-recovery-helper: Deregister message handler in error > paths > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13188 > >If PULL_DB control times out but the remote node is still sending the >data, then the tevent_req for pull_database_send will be freed without >removing the message handler. So when the data is received, srvid >handler will be called and it will try to access tevent_req which will >result in use-after-free and abort. > >Signed-off-by: Amitay Isaacs <amitay@gmail.com> >Reviewed-by: Martin Schwenke <martin@meltin.net> >--- > ctdb/server/ctdb_recovery_helper.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > >diff --git a/ctdb/server/ctdb_recovery_helper.c b/ctdb/server/ctdb_recovery_helper.c >index 474b900c71b..2c7bb4bb25a 100644 >--- a/ctdb/server/ctdb_recovery_helper.c >+++ b/ctdb/server/ctdb_recovery_helper.c >@@ -428,6 +428,7 @@ struct pull_database_state { > uint32_t pnn; > uint64_t srvid; > int num_records; >+ int result; > }; > > static void pull_database_handler(uint64_t srvid, TDB_DATA data, >@@ -625,8 +626,8 @@ static void pull_database_new_done(struct tevent_req *subreq) > if (! status) { > LOG("control DB_PULL failed for %s on node %u, ret=%d\n", > recdb_name(state->recdb), state->pnn, ret); >- tevent_req_error(req, ret); >- return; >+ state->result = ret; >+ goto unregister; > } > > ret = ctdb_reply_control_db_pull(reply, &num_records); >@@ -634,13 +635,15 @@ static void pull_database_new_done(struct tevent_req *subreq) > if (num_records != state->num_records) { > LOG("mismatch (%u != %u) in DB_PULL records for %s\n", > num_records, state->num_records, recdb_name(state->recdb)); >- tevent_req_error(req, EIO); >- return; >+ state->result = EIO; >+ goto unregister; > } > > LOG("Pulled %d records for db %s from node %d\n", > state->num_records, recdb_name(state->recdb), state->pnn); > >+unregister: >+ > subreq = ctdb_client_remove_message_handler_send( > state, state->ev, state->client, > state->srvid, req); >@@ -668,6 +671,11 @@ static void pull_database_unregister_done(struct tevent_req *subreq) > return; > } > >+ if (state->result != 0) { >+ tevent_req_error(req, state->result); >+ return; >+ } >+ > tevent_req_done(req); > } > >-- >2.14.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13887">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
martins
:
review+
Actions:
View
Attachments on
bug 13188
: 13887 |
13888