Bug 1503394 - Mishandling null check at send_brick_req of glusterfsd/src/gf_attach.c
Summary: Mishandling null check at send_brick_req of glusterfsd/src/gf_attach.c
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: GlusterFS
Classification: Community
Component: glusterd
Version: mainline
Hardware: All
OS: All
unspecified
low
Target Milestone: ---
Assignee: Sanju
QA Contact:
URL:
Whiteboard:
: 1505212 (view as bug list)
Depends On:
Blocks: 1502928 CVE-2017-15096 1505370
TreeView+ depends on / blocked
 
Reported: 2017-10-18 02:31 UTC by Sanju
Modified: 2017-12-08 17:43 UTC (History)
5 users (show)

Fixed In Version: glusterfs-3.13.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1502928
: 1505370 (view as bug list)
Environment:
Last Closed: 2017-12-08 17:43:44 UTC
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:


Attachments (Terms of Use)

Description Sanju 2017-10-18 02:31:39 UTC
+++ This bug was initially created as a clone of Bug #1502928 +++

Description of problem:

There are three of `goto out` at `send_brick_req`

        iobuf = iobuf_get2 (rpc->ctx->iobuf_pool, req_size);
        if (!iobuf)
                goto out;

        iobref = iobref_new ();
        if (!iobref)
                goto out;

        frame = create_frame (this, this->ctx->pool);
        if (!frame)
                goto out;

that indicates the three of them (iobuf, iobref, frame) might be null and then jumps to label `out`.

but there might be null pointer dereference after label out:
out:
        iobref_unref (iobref);
        iobuf_unref (iobuf);
        STACK_DESTROY (frame->root);

the error handling code might not work as expected.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Worker Ant on 2017-10-17 09:10:47 EDT ---

REVIEW: https://review.gluster.org/18538 (glusterd:Dereferencing the null pointer) posted (#1) for review on master by Sanju Rakonde (srakonde@redhat.com)

--- Additional comment from Worker Ant on 2017-10-17 09:16:50 EDT ---

REVIEW: https://review.gluster.org/18538 (glusterd:Dereferencing the null pointer) posted (#2) for review on master by Sanju Rakonde (srakonde@redhat.com)

--- Additional comment from Worker Ant on 2017-10-17 09:29:43 EDT ---

REVIEW: https://review.gluster.org/18539 (glusterd:Dereferencing the null pointer) posted (#1) for review on release-3.10 by Sanju Rakonde (srakonde@redhat.com)

Comment 1 Worker Ant 2017-10-18 02:44:27 UTC
REVIEW: https://review.gluster.org/18542 (glusterfsd: Dereferencing the null pointer) posted (#1) for review on master by Sanju Rakonde (srakonde@redhat.com)

Comment 2 Worker Ant 2017-10-18 03:48:27 UTC
REVIEW: https://review.gluster.org/18542 (glusterfsd: Dereferencing the null pointer) posted (#2) for review on master by Sanju Rakonde (srakonde@redhat.com)

Comment 3 Worker Ant 2017-10-20 02:31:51 UTC
COMMIT: https://review.gluster.org/18542 committed in master by Atin Mukherjee (amukherj@redhat.com) 
------
commit 87bd25b64ae34cce95e87e724acfeab4c13d60a4
Author: Sanju Rakonde <srakonde@redhat.com>
Date:   Wed Oct 18 08:06:24 2017 +0530

    glusterfsd: Dereferencing the null pointer
    
    Problem: When control reaches to out, one of (iobref, iobuf, frame) can
    be null.for iobref, iobuf iobref_unref() and iobuf_unref() functions
    are called respectively, which are using GF_VALIDATE_OR_GOTO(), so
    there won't be null pointer dereference. But for frame without null
    checking STACK_DESTROY(frame->root) is called causing null pointer
    dereference.
    
    Fix: adding a line for null checking, the function
    STACK_DESTROY(frame->root) is called only when frame is not null.
    
    Change-Id: I3a6684c11fb7b694b81d6ad4fec3bced5562ad88
    BUG: 1503394
    Signed-off-by: Sanju Rakonde <srakonde@redhat.com>

Comment 4 Kaleb KEITHLEY 2017-10-23 12:02:09 UTC
*** Bug 1505212 has been marked as a duplicate of this bug. ***

Comment 5 Kaleb KEITHLEY 2017-10-23 12:07:32 UTC
Where are the backports to 3.12 and 3.10? Thanks

Comment 6 Shyamsundar 2017-12-08 17:43:44 UTC
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.13.0, please open a new bug report.

glusterfs-3.13.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://lists.gluster.org/pipermail/announce/2017-December/000087.html
[2] https://www.gluster.org/pipermail/gluster-users/


Note You need to log in before you can comment on or make changes to this bug.