From 015736d484415d20c4570ddd77216d7668a0bb9e Mon Sep 17 00:00:00 2001
From: Gu Zhongyan <guzhongyan@360.cn>
Date: Fri, 2 Feb 2018 18:01:05 +0800
Subject: [PATCH] librados: invalid free() in rados_getxattrs_next()

Invalid free() can cause corruption when getting an object
attribute with empty value.

Check the validity of the pointer before free(). Also move
the free() call at the start of rados_getxattrs_next() to
avoid memory leak.

Fixes: http://tracker.ceph.com/issues/22042
Signed-off-by: Gu Zhongyan <guzhongyan@360.cn>
---
 src/librados/librados.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/librados/librados.cc b/src/librados/librados.cc
index a3143973e2a..b95b779a128 100644
--- a/src/librados/librados.cc
+++ b/src/librados/librados.cc
@@ -4281,6 +4281,10 @@ extern "C" int rados_getxattrs_next(rados_xattrs_iter_t iter,
 {
   tracepoint(librados, rados_getxattrs_next_enter, iter);
   librados::RadosXattrsIter *it = static_cast<librados::RadosXattrsIter*>(iter);
+  if (it->val) {
+    free(it->val);
+    it->val = NULL;
+  }
   if (it->i == it->attrset.end()) {
     *name = NULL;
     *val = NULL;
@@ -4288,7 +4292,6 @@ extern "C" int rados_getxattrs_next(rados_xattrs_iter_t iter,
     tracepoint(librados, rados_getxattrs_next_exit, 0, NULL, NULL, 0);
     return 0;
   }
-  free(it->val);
   const std::string &s(it->i->first);
   *name = s.c_str();
   bufferlist &bl(it->i->second);
-- 
2.39.5