From ded1cf4a93d15ca3be312d296c3ab956109587e3 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Fri, 29 Aug 2014 19:16:56 -0700 Subject: [PATCH] osd/ReplicatedPG: avoid dereferencing iterator at end() The preceding loop could terminate with p == snapset.clones.end(), which we assign to dnewest. We can't dereference the iterator in that case. For example: start_flush ffe627f3/foo/a/test-rados-api-plana05-22080-18/83 v430'42 uv130 blocking snapset b=[b,a]:[a,b]+head start_flush no older clones prev_snapc will be 0, oi.snaps will be [a], p will end up at end(), get assigned to dnewest, and we'll dereference. It's only sometime harmful though because we may still take the right (else) branch... Fixes: #9294 Signed-off-by: Sage Weil --- src/osd/ReplicatedPG.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/osd/ReplicatedPG.cc b/src/osd/ReplicatedPG.cc index b52f2e7135262..1f1cdd6053f77 100644 --- a/src/osd/ReplicatedPG.cc +++ b/src/osd/ReplicatedPG.cc @@ -6441,7 +6441,7 @@ int ReplicatedPG::start_flush( vector::iterator dnewest = p; // we may need to send a delete first - if (prev_snapc + 1 < *dnewest) { + if (dnewest != snapset.snaps.end() && prev_snapc + 1 < *dnewest) { while (p != snapset.snaps.end() && *p > prev_snapc) ++p; dsnapc.snaps = vector(p, snapset.snaps.end()); -- 2.39.5