Emmanuel Dreyfus <manu@xxxxxxxxxx> wrote:
> Looking at the code, I see that there are places where loc->path is
> allocated by gf_strdup(). I see other places where it is copied from
> another buffer. Since this is done without reference counts, it seems
> likely that there is a double free somewhere. Opinions?
I found a bug: Thou shalt not free(3) memory dirname(3) returned
On Linux basename() and dirname() return a pointer with the string
passed as argument. On BSD flavors, basename() and dirname() return
static storage, or pthread specific storage. Both behaviour are
compliant, but calling free on the result in the second case is a bug.
--- xlators/cluster/afr/src/afr-dir-write.c.orig 2012-05-19
16:45:30.000000000 +0200
+++ xlators/cluster/afr/src/afr-dir-write.c 2012-05-19
17:03:17.000000000 +0200
@@ -55,14 +55,22 @@
if (op_errno)
*op_errno = ENOMEM;
goto out;
}
- parent->path = dirname (child_path);
+ parent->path = gf_strdup( dirname (child_path) );
+ if (!parent->path) {
+ if (op_errno)
+ *op_errno = ENOMEM;
+ goto out;
+ }
parent->inode = inode_ref (child->parent);
uuid_copy (parent->gfid, child->pargfid);
ret = 0;
out:
+ if (child_path)
+ GF_FREE(child_path);
+
return ret;
}
/* {{{ create */--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@xxxxxxxxxx
