git.samba.org / ctdb.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5471fe7) | patch
locking: Avoid memory corruption in ctdb_lock_context_destructor
authorStefan Metzmacher <metze@samba.org>
Tue, 26 May 2015 14:45:34 +0000 (16:45 +0200)
committerAmitay Isaacs <amitay@gmail.com>
Mon, 15 Jun 2015 02:13:00 +0000 (12:13 +1000)
commit9d2ba86dc9ec8bebc7d28c62d729c5dbe2aca1ec
tree25b7d31e46b9fda90c45dcffbd2a72c5af6c4f60tree
parent5471fe7a68549ddac6cf6e9a235477adb01c4086commit | diff
locking: Avoid memory corruption in ctdb_lock_context_destructor

If the lock request is freed from within the callback, then setting
lock_ctx->request to NULL in ctdb_lock_context_destructor will end up
corrupting memory.  In this case, lock_ctx->request could be reallocated
and pointing to something else.  This may cause unexpected abort trying
to dereference a NULL pointer.

So, set lock_ctx->request to NULL before processing callbacks.

This avoids the following valgrind problem.

==3636== Invalid write of size 8
==3636==    at 0x151F3D: ctdb_lock_context_destructor (ctdb_lock.c:276)
==3636==    by 0x58B3618: _talloc_free_internal (talloc.c:993)
==3636==    by 0x58AD692: _talloc_free_children_internal (talloc.c:1472)
==3636==    by 0x58AD692: _talloc_free_internal (talloc.c:1019)
==3636==    by 0x58AD692: _talloc_free (talloc.c:1594)
==3636==    by 0x15292E: ctdb_lock_handler (ctdb_lock.c:471)
==3636==    by 0x56A535A: epoll_event_loop (tevent_epoll.c:728)
==3636==    by 0x56A535A: epoll_event_loop_once (tevent_epoll.c:926)
==3636==    by 0x56A3826: std_event_loop_once (tevent_standard.c:114)
==3636==    by 0x569FFFC: _tevent_loop_once (tevent.c:533)
==3636==    by 0x56A019A: tevent_common_loop_wait (tevent.c:637)
==3636==    by 0x56A37C6: std_event_loop_wait (tevent_standard.c:140)
==3636==    by 0x11E03A: ctdb_start_daemon (ctdb_daemon.c:1320)
==3636==    by 0x118557: main (ctdbd.c:321)
==3636==  Address 0x9c5b660 is 96 bytes inside a block of size 120 free'd
==3636==    at 0x4C29D17: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3636==    by 0x58B32D3: _talloc_free_internal (talloc.c:1063)
==3636==    by 0x58B3232: _talloc_free_children_internal (talloc.c:1472)
==3636==    by 0x58B3232: _talloc_free_internal (talloc.c:1019)
==3636==    by 0x58B3232: _talloc_free_children_internal (talloc.c:1472)
==3636==    by 0x58B3232: _talloc_free_internal (talloc.c:1019)
==3636==    by 0x58AD692: _talloc_free_children_internal (talloc.c:1472)
==3636==    by 0x58AD692: _talloc_free_internal (talloc.c:1019)
==3636==    by 0x58AD692: _talloc_free (talloc.c:1594)
==3636==    by 0x11EC30: daemon_incoming_packet (ctdb_daemon.c:844)
==3636==    by 0x136F4A: lock_fetch_callback (ctdb_ltdb_server.c:268)
==3636==    by 0x152489: process_callbacks (ctdb_lock.c:353)
==3636==    by 0x152489: ctdb_lock_handler (ctdb_lock.c:468)
==3636==    by 0x56A535A: epoll_event_loop (tevent_epoll.c:728)
==3636==    by 0x56A535A: epoll_event_loop_once (tevent_epoll.c:926)
==3636==    by 0x56A3826: std_event_loop_once (tevent_standard.c:114)
==3636==    by 0x569FFFC: _tevent_loop_once (tevent.c:533)
==3636==    by 0x56A019A: tevent_common_loop_wait (tevent.c:637)
==3636==    by 0x56A37C6: std_event_loop_wait (tevent_standard.c:140)
==3636==    by 0x11E03A: ctdb_start_daemon (ctdb_daemon.c:1320)
==3636==    by 0x118557: main (ctdbd.c:321)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11293

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(Imported from commit ee02e40e869fd46f113d016122dd5384b7887228)
server/ctdb_lock.c diff | blob | history
CTDB repository