Bug #37508
rbd_snap_list_end() segfaults if rbd_snap_list() fails
% Done:
0%
Source:
Tags:
Backport:
luminous, mimic
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
in SnapIterator in rbd.pyx, rbd_snap_list_end() is called by SnapIterator.__dealloc__(). and rbd_snap_list_end() freessnaps->name if it is not nullptr. but there is chance that snaps->name is never initialized after snaps is allocated by SnapIterator.__init__, in that case, we will free() a wild pointer.
Related issues
History
#1 Updated by Kefu Chai about 4 years ago
- Status changed from In Progress to Fix Under Review
#2 Updated by Jason Dillaman about 4 years ago
- Status changed from Fix Under Review to Pending Backport
#3 Updated by Nathan Cutler about 4 years ago
- Copied to Backport #37535: luminous: rbd_snap_list_end() segfaults if rbd_snap_list() fails added
#4 Updated by Nathan Cutler about 4 years ago
- Copied to Backport #37536: mimic: rbd_snap_list_end() segfaults if rbd_snap_list() fails added
#5 Updated by Nathan Cutler almost 2 years ago
- Status changed from Pending Backport to Resolved
While running with --resolve-parent, the script "backport-create-issue" noticed that all backports of this issue are in status "Resolved" or "Rejected".