Re: memory corruption in release-3.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Emmanuel Dreyfus <manu@xxxxxxxxxx> wrote:

> Looking at the code, I see that there are places where loc->path is
> allocated by gf_strdup(). I see other places where it is copied from
> another buffer. Since this is done without reference counts, it seems
> likely that there is a double free somewhere. Opinions?

I found a bug: Thou shalt not free(3) memory dirname(3) returned

On Linux basename() and dirname() return a pointer with the string
passed as argument. On BSD flavors, basename() and dirname() return
static storage, or pthread specific storage. Both behaviour are
compliant, but calling free on the result in the second case is a bug.

--- xlators/cluster/afr/src/afr-dir-write.c.orig        2012-05-19
16:45:30.000000000 +0200
+++ xlators/cluster/afr/src/afr-dir-write.c     2012-05-19
17:03:17.000000000 +0200
@@ -55,14 +55,22 @@
                 if (op_errno)
                         *op_errno = ENOMEM;
                 goto out;
         }
-        parent->path = dirname (child_path);
+        parent->path = gf_strdup( dirname (child_path) );
+       if (!parent->path) {
+                if (op_errno)
+                        *op_errno = ENOMEM;
+                goto out;
+        }
         parent->inode  = inode_ref (child->parent);
         uuid_copy (parent->gfid, child->pargfid);
 
         ret = 0;
 out:
+       if (child_path)
+               GF_FREE(child_path);
+
         return ret;
 }
 
 /* {{{ create */-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@xxxxxxxxxx



[Index of Archives]     [Gluster Users]     [Ceph Users]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux