Bug 13188 - ctdb_recovery_helper crashes if recovery process times out
Summary: ctdb_recovery_helper crashes if recovery process times out
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: CTDB (show other bugs)
Version: 4.7.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-13 05:34 UTC by Amitay Isaacs
Modified: 2018-01-03 08:06 UTC (History)
2 users (show)

See Also:

Attachments
Patches for v4-6 (2.34 KB, patch)
2017-12-22 19:34 UTC, Amitay Isaacs 		martins: review+
Details
Patches for v4-7 (2.32 KB, patch)
2017-12-22 19:35 UTC, Amitay Isaacs 		martins: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amitay Isaacs 2017-12-13 05:34:30 UTC 
If PULL_DB control times out but the remote node is still sending the
data, then the tevent_req for pull_database_send will be freed without
removing the message handler.  So when the data is received, srvid
handler will be called and it will try to access tevent_req which will
result in use-after-free and abort.
Comment 1 Amitay Isaacs 2017-12-22 19:34:58 UTC 
Created attachment 13887 [details]
Patches for v4-6
Comment 2 Amitay Isaacs 2017-12-22 19:35:25 UTC 
Created attachment 13888 [details]
Patches for v4-7
Comment 3 Martin Schwenke 2017-12-23 01:09:11 UTC 
Sorry, I forgot about this or I would have done this a while ago.  At least it is low probability.
Comment 4 Martin Schwenke 2017-12-23 01:09:34 UTC 
Hi Karolin,

This is ready for 4.6 and 4.7.

Thanks...
Comment 5 Karolin Seeger 2018-01-02 08:57:07 UTC 
(In reply to Martin Schwenke from comment #4)
Pushed to autobuild-v4-{7,6}-test.
Comment 6 Karolin Seeger 2018-01-03 08:06:18 UTC 
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!