librbd: reset snaps in rbd_snap_list()

in SnapIterator in rbd.pyx, rbd_snap_list_end() is called by
SnapIterator.__dealloc__(). and rbd_snap_list_end() frees
snaps->name if it is not nullptr.  but there is chance that
snaps->name is never initialized after snaps is allocated by
SnapIterator.__init__, in that case, we will free() a wild pointer.

Fixes: http://tracker.ceph.com/issues/37508
Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit 5431fba5c5c9122418b6a03df4ed89f86fbb35e3)

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index 559341566194ec780006db3fd17ca476640ba5ee..7c07d0bde1f0a9caf887e47de3cd3ea1e7ecd4df 100644 (file)
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -3493,6 +3493,7 @@ extern "C" int rbd_snap_list(rbd_image_t image, rbd_snap_info_t *snaps,
     tracepoint(librbd, snap_list_exit, -EINVAL, 0);
     return -EINVAL;
   }
+  memset(snaps, 0, sizeof(*snaps) * *max_snaps);
 
   int r = librbd::snap_list(ictx, cpp_snaps);
   if (r == -ENOENT) {