librbd: reset snaps in rbd_snap_list()

in SnapIterator in rbd.pyx, rbd_snap_list_end() is called by
SnapIterator.__dealloc__(). and rbd_snap_list_end() frees
snaps->name if it is not nullptr.  but there is chance that
snaps->name is never initialized after snaps is allocated by
SnapIterator.__init__, in that case, we will free() a wild pointer.

Fixes: http://tracker.ceph.com/issues/37508
Signed-off-by: Kefu Chai <kchai@redhat.com>

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index 03d8cbe561fb2b5a1bef7e717f1e0708e2a5ceb4..817b464274c25d37cf68266ffcfb45cd2688e710 100644 (file)
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -4471,6 +4471,7 @@ extern "C" int rbd_snap_list(rbd_image_t image, rbd_snap_info_t *snaps,
     tracepoint(librbd, snap_list_exit, -EINVAL, 0);
     return -EINVAL;
   }
+  memset(snaps, 0, sizeof(*snaps) * *max_snaps);
 
   int r = librbd::snap_list(ictx, cpp_snaps);
   if (r == -ENOENT) {