From 327d426137fcd4e421e490008f1abe9435e50cd0 Mon Sep 17 00:00:00 2001
From: Kefu Chai <kchai@redhat.com>
Date: Tue, 4 Dec 2018 00:28:31 +0800
Subject: [PATCH] librbd: reset snaps in rbd_snap_list()

in SnapIterator in rbd.pyx, rbd_snap_list_end() is called by
SnapIterator.__dealloc__(). and rbd_snap_list_end() frees
snaps->name if it is not nullptr.  but there is chance that
snaps->name is never initialized after snaps is allocated by
SnapIterator.__init__, in that case, we will free() a wild pointer.

Fixes: http://tracker.ceph.com/issues/37508
Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit 5431fba5c5c9122418b6a03df4ed89f86fbb35e3)
---
 src/librbd/librbd.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/librbd/librbd.cc b/src/librbd/librbd.cc
index 559341566194e..7c07d0bde1f0a 100644
--- a/src/librbd/librbd.cc
+++ b/src/librbd/librbd.cc
@@ -3493,6 +3493,7 @@ extern "C" int rbd_snap_list(rbd_image_t image, rbd_snap_info_t *snaps,
     tracepoint(librbd, snap_list_exit, -EINVAL, 0);
     return -EINVAL;
   }
+  memset(snaps, 0, sizeof(*snaps) * *max_snaps);
 
   int r = librbd::snap_list(ictx, cpp_snaps);
   if (r == -ENOENT) {
-- 
2.47.3