rbd: fix crash during map

Currently the iterator isn't advanced after the erase call leading to a
second call on the iterator, which crashes due to a double free.
Since C++11 the map::erase function returns an iterator pointing to the
next element. Use the return value to set the iterator after erasing.

Fixes: http://tracker.ceph.com/issues/21808
Signed-off-by: Peter Keresztes Schmidt <carbenium@outlook.com>
(cherry picked from commit 9e49c4124422e58dd40dfb6038425430d3845412)

diff --git a/src/tools/rbd/action/Kernel.cc b/src/tools/rbd/action/Kernel.cc
index a829c8bb0255e9474fe0f791390eefca5d5c077b..051c3fcf1ef3b38d99a0a21b3a50248e94ec00f6 100644 (file)
--- a/src/tools/rbd/action/Kernel.cc
+++ b/src/tools/rbd/action/Kernel.cc
@@ -233,7 +233,7 @@ static int do_kernel_map(const char *poolname, const char *imgname,
     // default and omit it even if it was specified by the user
     // (see ceph.git commit fb0f1986449b)
     if (it->first == "rw" && it->second == "rw") {
-      map_options.erase(it);
+      it = map_options.erase(it);
     } else {
       if (it != map_options.begin())
         oss << ",";