From: Kefu Chai <kchai@redhat.com>
Date: Mon, 3 Dec 2018 16:28:31 +0000 (+0800)
Subject: librbd: reset snaps in rbd_snap_list()
X-Git-Tag: v14.1.0~720^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F25379%2Fhead;p=ceph.git

librbd: reset snaps in rbd_snap_list()

in SnapIterator in rbd.pyx, rbd_snap_list_end() is called by
SnapIterator.__dealloc__(). and rbd_snap_list_end() frees
snaps->name if it is not nullptr.  but there is chance that
snaps->name is never initialized after snaps is allocated by
SnapIterator.__init__, in that case, we will free() a wild pointer.

Fixes: http://tracker.ceph.com/issues/37508
Signed-off-by: Kefu Chai <kchai@redhat.com>
---

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index 03d8cbe561fb..817b464274c2 100644
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -4471,6 +4471,7 @@ extern "C" int rbd_snap_list(rbd_image_t image, rbd_snap_info_t *snaps,
     tracepoint(librbd, snap_list_exit, -EINVAL, 0);
     return -EINVAL;
   }
+  memset(snaps, 0, sizeof(*snaps) * *max_snaps);
 
   int r = librbd::snap_list(ictx, cpp_snaps);
   if (r == -ENOENT) {