Project

General

Profile

Bug #37508

rbd_snap_list_end() segfaults if rbd_snap_list() fails

Added by Kefu Chai 3 months ago. Updated 3 months ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Target version:
-
Start date:
12/04/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
luminous, mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

in SnapIterator in rbd.pyx, rbd_snap_list_end() is called by SnapIterator.__dealloc__(). and rbd_snap_list_end() freessnaps->name if it is not nullptr. but there is chance that snaps->name is never initialized after snaps is allocated by SnapIterator.__init__, in that case, we will free() a wild pointer.


Related issues

Copied to rbd - Backport #37535: luminous: rbd_snap_list_end() segfaults if rbd_snap_list() fails Resolved
Copied to rbd - Backport #37536: mimic: rbd_snap_list_end() segfaults if rbd_snap_list() fails In Progress

History

#1 Updated by Kefu Chai 3 months ago

  • Status changed from In Progress to Need Review

#2 Updated by Jason Dillaman 3 months ago

  • Status changed from Need Review to Pending Backport

#3 Updated by Nathan Cutler 3 months ago

  • Copied to Backport #37535: luminous: rbd_snap_list_end() segfaults if rbd_snap_list() fails added

#4 Updated by Nathan Cutler 3 months ago

  • Copied to Backport #37536: mimic: rbd_snap_list_end() segfaults if rbd_snap_list() fails added

Also available in: Atom PDF