From: yangjun <yangjun@cmss.chinamobile.com>
Date: Sun, 8 Dec 2019 01:09:53 +0000 (+0800)
Subject: librbd: fix rbd_open_by_id, rbd_open_by_id_read_only
X-Git-Tag: v13.2.9~92^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=976967391c8347e37b7784e84555759efda7c8df;p=ceph.git

librbd: fix rbd_open_by_id, rbd_open_by_id_read_only

These methods incorrectly delete ImageCtx on error, resulting
in double-free heap corruption.

Fixes: https://tracker.ceph.com/issues/43178
Signed-off-by: yangjun <yangjun@cmss.chinamobile.com>
(cherry picked from commit 3457192c24a66ba499a7c9b1747bc29c79b34636)

Conflicts:
	src/librbd/librbd.cc
---

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index de4ed31c56055..0e65fbc0302bb 100644
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -2911,9 +2911,7 @@ extern "C" int rbd_open_by_id(rados_ioctx_t p, const char *id,
              ictx->id.c_str(), ictx->snap_name.c_str(), ictx->read_only);
 
   int r = ictx->state->open(false);
-  if (r < 0) {
-    delete ictx;
-  } else {
+  if (r >= 0) {
     *image = (rbd_image_t)ictx;
   }
   tracepoint(librbd, open_image_exit, r);
@@ -2984,9 +2982,7 @@ extern "C" int rbd_open_by_id_read_only(rados_ioctx_t p, const char *id,
              ictx->id.c_str(), ictx->snap_name.c_str(), ictx->read_only);
 
   int r = ictx->state->open(false);
-  if (r < 0) {
-    delete ictx;
-  } else {
+  if (r >= 0) {
     *image = (rbd_image_t)ictx;
   }
   tracepoint(librbd, open_image_exit, r);