Oscar Ou has uploaded this change for review.

View Change

Fix use-after-free in rados_kv_connect error paths

rados_kv_connect() calls rados_shutdown(clnt) in its error paths but
does not reset the file-scope static 'clnt' pointer to NULL. When the
caller (e.g. rados_cluster_init) subsequently invokes rados_kv_shutdown()
for cleanup, it sees a non-NULL clnt and calls rados_shutdown() again on
the already-freed handle, causing a use-after-free crash in
pthread_mutex_lock.

Also fix rados_ioctx_create failure path which fell through to
rados_ioctx_set_namespace() with an invalid io_ctx pointer.

Change-Id: Id9a8ef55e15bda21d43ab591ca9318884fed49bc
Signed-off-by: Oscar Ou <oscarou@synology.com>
---
M src/SAL/recovery/recovery_rados_kv.c
1 file changed, 5 insertions(+), 0 deletions(-)

git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/90/1237890/1

To view, visit change 1237890. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-Change-Id: Id9a8ef55e15bda21d43ab591ca9318884fed49bc
Gerrit-Change-Number: 1237890
Gerrit-PatchSet: 1
Gerrit-Owner: Oscar Ou <oscarou@synology.com>