librados: invalid free() in rados_getxattrs_next()

Invalid free() can cause corruption when getting an object
attribute with empty value.

Check the validity of the pointer before free(). Also move
the free() call at the start of rados_getxattrs_next() to
avoid memory leak.

Fixes: http://tracker.ceph.com/issues/22042
Signed-off-by: Gu Zhongyan <guzhongyan@360.cn>
(cherry picked from commit 015736d484415d20c4570ddd77216d7668a0bb9e)

diff --git a/src/librados/librados.cc b/src/librados/librados.cc
index f7683cdc19305020e7057d904af00a9419768dab..b96c726fffbd2a6afc9b9facb1f4e671f2b89459 100644 (file)
--- a/src/librados/librados.cc
+++ b/src/librados/librados.cc
@@ -4236,6 +4236,10 @@ extern "C" int rados_getxattrs_next(rados_xattrs_iter_t iter,
 {
   tracepoint(librados, rados_getxattrs_next_enter, iter);
   librados::RadosXattrsIter *it = static_cast<librados::RadosXattrsIter*>(iter);
+  if (it->val) {
+    free(it->val);
+    it->val = NULL;
+  }
   if (it->i == it->attrset.end()) {
     *name = NULL;
     *val = NULL;
@@ -4243,7 +4247,6 @@ extern "C" int rados_getxattrs_next(rados_xattrs_iter_t iter,
     tracepoint(librados, rados_getxattrs_next_exit, 0, NULL, NULL, 0);
     return 0;
   }
-  free(it->val);
   const std::string &s(it->i->first);
   *name = s.c_str();
   bufferlist &bl(it->i->second);