From: Danny Al-Gaaf Date: Wed, 23 Sep 2015 22:51:30 +0000 (+0200) Subject: src/mds/MDSRank.cc: remove delete calls from handle_asok_command() X-Git-Tag: v10.0.4~86^2~20 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=cbbe79af8d5d2dd11b43a6b4c9863621ee674408;p=ceph.git src/mds/MDSRank.cc: remove delete calls from handle_asok_command() The allocated 'Formatter' passed to the function should be freed by the caller to avoid missusage. If handle_asok_command() free's the pointer to 'Formatter' to pass an indication of an error back to the caller, it should have at least set the pointer to NULL to work anyway. Fix for: CID 1316253 (#1 of 1): Use after free (USE_AFTER_FREE) deref_arg: Calling flush dereferences freed pointer f. (The dereference happens because this is a virtual function call.) Signed-off-by: Danny Al-Gaaf --- diff --git a/src/mds/MDSDaemon.cc b/src/mds/MDSDaemon.cc index dfd744cf1681..8873ca5a3346 100644 --- a/src/mds/MDSDaemon.cc +++ b/src/mds/MDSDaemon.cc @@ -178,9 +178,8 @@ bool MDSDaemon::asok_command(string command, cmdmap_t& cmdmap, string format, dout(1) << "Can't run that command on an inactive MDS!" << dendl; f->dump_string("error", "mds_not_active"); } else { - handled = mds_rank->handle_asok_command(command, cmdmap, f, ss); + handled = mds_rank->handle_asok_command(command, cmdmap, f, ss); } - } f->flush(ss); delete f; diff --git a/src/mds/MDSRank.cc b/src/mds/MDSRank.cc index a836dfb9e8dd..943020bc79d0 100644 --- a/src/mds/MDSRank.cc +++ b/src/mds/MDSRank.cc @@ -1686,7 +1686,6 @@ bool MDSRankDispatcher::handle_asok_command( if (!got_val) { ss << "no target epoch given"; - delete f; return true; } @@ -1748,13 +1747,11 @@ bool MDSRankDispatcher::handle_asok_command( string path; if(!cmd_getval(g_ceph_context, cmdmap, "path", path)) { ss << "malformed path"; - delete f; return true; } int64_t rank; if(!cmd_getval(g_ceph_context, cmdmap, "rank", rank)) { ss << "malformed rank"; - delete f; return true; } command_export_dir(f, path, (mds_rank_t)rank);