librbd: fix rbd_open_by_id, rbd_open_by_id_read_only

These methods incorrectly delete ImageCtx on error, resulting
in double-free heap corruption.

Fixes: https://tracker.ceph.com/issues/43178
Signed-off-by: yangjun <yangjun@cmss.chinamobile.com>
(cherry picked from commit 3457192c24a66ba499a7c9b1747bc29c79b34636)

Conflicts:
	src/librbd/librbd.cc

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index de4ed31c560554c965801e83ca0577bda0aae9db..0e65fbc0302bb3369f783b41ee35c56eb4a40a42 100644 (file)
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -2911,9 +2911,7 @@ extern "C" int rbd_open_by_id(rados_ioctx_t p, const char *id,
              ictx->id.c_str(), ictx->snap_name.c_str(), ictx->read_only);
 
   int r = ictx->state->open(false);
-  if (r < 0) {
-    delete ictx;
-  } else {
+  if (r >= 0) {
     *image = (rbd_image_t)ictx;
   }
   tracepoint(librbd, open_image_exit, r);
@@ -2984,9 +2982,7 @@ extern "C" int rbd_open_by_id_read_only(rados_ioctx_t p, const char *id,
              ictx->id.c_str(), ictx->snap_name.c_str(), ictx->read_only);
 
   int r = ictx->state->open(false);
-  if (r < 0) {
-    delete ictx;
-  } else {
+  if (r >= 0) {
     *image = (rbd_image_t)ictx;
   }
   tracepoint(librbd, open_image_exit, r);