From 0b3c5dc58c36d7ee87876a8e9540b12078573f76 Mon Sep 17 00:00:00 2001
From: Sage Weil <sage@inktank.com>
Date: Fri, 28 Sep 2012 07:53:04 -0700
Subject: [PATCH] objecter: fix dereference after null check

CID 716933: Dereference after null check (FORWARD_NULL)
At (4): Passing null pointer "extra_ops->ops" to function "std::vector<OSDOp, std::allocator<OSDOp> >::operator [](std::vector<OSDOp, std::allocator<OSDOp> >::size_type)", which dereferences it. [hide details]

All callers pass 1, but this was also hard-coded into the helper logic.
Fix code (and doxygen desc) to allow other values.

Signed-off-by: Sage Weil <sage@inktank.com>
---
 src/osdc/Objecter.h | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/osdc/Objecter.h b/src/osdc/Objecter.h
index 1d3937f7aa15e..b23c0c5059676 100644
--- a/src/osdc/Objecter.h
+++ b/src/osdc/Objecter.h
@@ -1056,22 +1056,23 @@ private:
   /**
    * set up initial ops in the op vector, and allocate a final op slot.
    *
-   * The caller is responsible for filling in the final op.
+   * The caller is responsible for filling in the final ops_count ops.
    *
    * @param ops op vector
-   * @param ops_count number of initial ops
+   * @param ops_count number of final ops the caller will fill in
    * @param extra_ops pointer to [array of] initial op[s]
    * @return index of final op (for caller to fill in)
    */
   int init_ops(vector<OSDOp>& ops, int ops_count, ObjectOperation *extra_ops) {
     int i;
+    int extra = 0;
 
     if (extra_ops)
-      ops_count += extra_ops->ops.size();
+      extra = extra_ops->ops.size();
 
-    ops.resize(ops_count);
+    ops.resize(ops_count + extra);
 
-    for (i=0; i<ops_count - 1; i++) {
+    for (i=0; i<extra; i++) {
       ops[i] = extra_ops->ops[i];
     }
 
-- 
2.39.5