From 0e07f7f0459770a598d0b7684b0f176e2222f5d7 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Sat, 16 Aug 2014 14:51:31 -0700 Subject: [PATCH] osd: fix theoretical use-after-free of OSDMap In practice, the map will remain pinned for a while, but this will make coverity happy. *** CID 1231685: Use after free (USE_AFTER_FREE) /osd/OSD.cc: 6223 in OSD::handle_osd_map(MOSDMap *)() 6217 6218 if (o->test_flag(CEPH_OSDMAP_FULL)) 6219 last_marked_full = e; 6220 pinned_maps.push_back(add_map(o)); 6221 6222 bufferlist fbl; >>> CID 1231685: Use after free (USE_AFTER_FREE) >>> Calling "encode" dereferences freed pointer "o". 6223 o->encode(fbl); 6224 6225 hobject_t fulloid = get_osdmap_pobject_name(e); 6226 t.write(coll_t::META_COLL, fulloid, 0, fbl.length(), fbl); 6227 pin_map_bl(e, fbl); 6228 continue; Signed-off-by: Sage Weil --- src/osd/OSD.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/osd/OSD.cc b/src/osd/OSD.cc index 4d4c55288e05e..a9b40026cb0f5 100644 --- a/src/osd/OSD.cc +++ b/src/osd/OSD.cc @@ -6183,11 +6183,11 @@ void OSD::handle_osd_map(MOSDMap *m) o->decode(bl); if (o->test_flag(CEPH_OSDMAP_FULL)) last_marked_full = e; - pinned_maps.push_back(add_map(o)); hobject_t fulloid = get_osdmap_pobject_name(e); t.write(coll_t::META_COLL, fulloid, 0, bl.length(), bl); pin_map_bl(e, bl); + pinned_maps.push_back(add_map(o)); continue; } @@ -6217,7 +6217,6 @@ void OSD::handle_osd_map(MOSDMap *m) if (o->test_flag(CEPH_OSDMAP_FULL)) last_marked_full = e; - pinned_maps.push_back(add_map(o)); bufferlist fbl; o->encode(fbl); @@ -6225,6 +6224,7 @@ void OSD::handle_osd_map(MOSDMap *m) hobject_t fulloid = get_osdmap_pobject_name(e); t.write(coll_t::META_COLL, fulloid, 0, fbl.length(), fbl); pin_map_bl(e, fbl); + pinned_maps.push_back(add_map(o)); continue; } -- 2.39.5