src/mds/MDSRank.cc: remove delete calls from handle_asok_command()

The allocated 'Formatter' passed to the function should be
freed by the caller to avoid missusage.

If handle_asok_command() free's the pointer to 'Formatter' to pass
an indication of an error back to the caller, it should have at least
set the pointer to NULL to work anyway.

Fix for:

CID 1316253 (#1 of 1): Use after free (USE_AFTER_FREE)
 deref_arg: Calling flush dereferences freed pointer f. (The dereference
 happens because this is a virtual function call.)

Signed-off-by: Danny Al-Gaaf <danny.al-gaaf@bisect.de>

diff --git a/src/mds/MDSDaemon.cc b/src/mds/MDSDaemon.cc
index dfd744cf1681e28c68eb722b01236022ea5c046d..8873ca5a334652971590743ca6312150ce598b9e 100644 (file)
--- a/src/mds/MDSDaemon.cc
+++ b/src/mds/MDSDaemon.cc
@@ -178,9 +178,8 @@ bool MDSDaemon::asok_command(string command, cmdmap_t& cmdmap, string format,
       dout(1) << "Can't run that command on an inactive MDS!" << dendl;
       f->dump_string("error", "mds_not_active");
     } else {
-      handled =  mds_rank->handle_asok_command(command, cmdmap, f, ss);
+      handled = mds_rank->handle_asok_command(command, cmdmap, f, ss);
     }
-
   }
   f->flush(ss);
   delete f;

diff --git a/src/mds/MDSRank.cc b/src/mds/MDSRank.cc
index a836dfb9e8dd845c6a7fca3e526899faab453d0c..943020bc79d0b4c8b7b8c12c6510918dca8c0887 100644 (file)
--- a/src/mds/MDSRank.cc
+++ b/src/mds/MDSRank.cc
@@ -1686,7 +1686,6 @@ bool MDSRankDispatcher::handle_asok_command(
     
     if (!got_val) {
       ss << "no target epoch given";
-      delete f;
       return true;
     }
     
@@ -1748,13 +1747,11 @@ bool MDSRankDispatcher::handle_asok_command(
     string path;
     if(!cmd_getval(g_ceph_context, cmdmap, "path", path)) {
       ss << "malformed path";
-      delete f;
       return true;
     }
     int64_t rank;
     if(!cmd_getval(g_ceph_context, cmdmap, "rank", rank)) {
       ss << "malformed rank";
-      delete f;
       return true;
     }
     command_export_dir(f, path, (mds_rank_t)rank);