The Samba-Bugzilla – Attachment 13888 Details for
Bug 13188
ctdb_recovery_helper crashes if recovery process times out
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-7
BZ13188-v4-7.patch (text/plain), 2.32 KB, created by
Amitay Isaacs
on 2017-12-22 19:35:25 UTC
(
hide
)
Description:
Patches for v4-7
Filename:
MIME Type:
Creator:
Amitay Isaacs
Created:
2017-12-22 19:35:25 UTC
Size:
2.32 KB
patch
obsolete
>From c5ab2df42b2a28f8eac0cfef5f1a0a2b33aace70 Mon Sep 17 00:00:00 2001 >From: Amitay Isaacs <amitay@gmail.com> >Date: Wed, 13 Dec 2017 16:12:09 +1100 >Subject: [PATCH] ctdb-recovery-helper: Deregister message handler in error > paths > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13188 > >If PULL_DB control times out but the remote node is still sending the >data, then the tevent_req for pull_database_send will be freed without >removing the message handler. So when the data is received, srvid >handler will be called and it will try to access tevent_req which will >result in use-after-free and abort. > >Signed-off-by: Amitay Isaacs <amitay@gmail.com> >Reviewed-by: Martin Schwenke <martin@meltin.net> >--- > ctdb/server/ctdb_recovery_helper.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > >diff --git a/ctdb/server/ctdb_recovery_helper.c b/ctdb/server/ctdb_recovery_helper.c >index 9f7fc07d3c4..e966b3ac739 100644 >--- a/ctdb/server/ctdb_recovery_helper.c >+++ b/ctdb/server/ctdb_recovery_helper.c >@@ -397,6 +397,7 @@ struct pull_database_state { > uint32_t pnn; > uint64_t srvid; > int num_records; >+ int result; > }; > > static void pull_database_handler(uint64_t srvid, TDB_DATA data, >@@ -594,8 +595,8 @@ static void pull_database_new_done(struct tevent_req *subreq) > if (! status) { > D_ERR("control DB_PULL failed for %s on node %u, ret=%d\n", > recdb_name(state->recdb), state->pnn, ret); >- tevent_req_error(req, ret); >- return; >+ state->result = ret; >+ goto unregister; > } > > ret = ctdb_reply_control_db_pull(reply, &num_records); >@@ -604,13 +605,15 @@ static void pull_database_new_done(struct tevent_req *subreq) > D_ERR("mismatch (%u != %u) in DB_PULL records for db %s\n", > num_records, state->num_records, > recdb_name(state->recdb)); >- tevent_req_error(req, EIO); >- return; >+ state->result = EIO; >+ goto unregister; > } > > D_INFO("Pulled %d records for db %s from node %d\n", > state->num_records, recdb_name(state->recdb), state->pnn); > >+unregister: >+ > subreq = ctdb_client_remove_message_handler_send( > state, state->ev, state->client, > state->srvid, req); >@@ -638,6 +641,11 @@ static void pull_database_unregister_done(struct tevent_req *subreq) > return; > } > >+ if (state->result != 0) { >+ tevent_req_error(req, state->result); >+ return; >+ } >+ > tevent_req_done(req); > } > >-- >2.14.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13888">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
martins
:
review+
Actions:
View
Attachments on
bug 13188
:
13887
| 13888