| commit | 8b2e01a20656620c63d84c8b02a9a13f41a0fe25 | |
| author | Martin Schwenke <martin@meltin.net> | |
| Tue, 30 Aug 2016 22:29:13 +0000 (31 08:29 +1000) | ||
| committer | Stefan Metzmacher <metze@samba.org> | |
| Tue, 6 Sep 2016 06:22:17 +0000 (6 08:22 +0200) | ||
| tree | e5dac521a8b321804b064f8ab844e97a9c7202b2 | treesnapshot (tar.gz zip) |
| parent | d9f5a6ab0fba3c7ba77c93040c7e190877c3573d | commitdiff |
ctdb-daemon: Don't steal control structure before synchronous reply
If *async_reply isn't set then the calling code will reply to the
control and free the control structure. In some places the control
structure pointer is stolen onto state before a synchronous exit due
to an error condition. The error handling then frees state and
returns an error. The calling code will access-after-free when trying
to reply to the control.
To make this easier to understand, the convention is that any
(immediate) error results in a synchronous reply to the control via an
error return code AND *async_reply not being set. In this case the
control structure pointer should never be stolen onto state. State is
never used for a synchronous reply, it is only ever used by a
callback.
Also initialise state->c to NULL so that any premature call to a
callback (e.g. in an immediate error path) is more obvious.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12180
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 9d975b860d52030a702723c70791c6a2829107c0)
If *async_reply isn't set then the calling code will reply to the
control and free the control structure. In some places the control
structure pointer is stolen onto state before a synchronous exit due
to an error condition. The error handling then frees state and
returns an error. The calling code will access-after-free when trying
to reply to the control.
To make this easier to understand, the convention is that any
(immediate) error results in a synchronous reply to the control via an
error return code AND *async_reply not being set. In this case the
control structure pointer should never be stolen onto state. State is
never used for a synchronous reply, it is only ever used by a
callback.
Also initialise state->c to NULL so that any premature call to a
callback (e.g. in an immediate error path) is more obvious.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12180
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
(cherry picked from commit 9d975b860d52030a702723c70791c6a2829107c0)
| ctdb/server/ctdb_takeover.c | diffblobblamehistory | |
| ctdb/server/eventscript.c | diffblobblamehistory |