In ctdb_control_end_recovery,

We used to talloc_steal c (the command packet) and make it a child of the
"event script state context".
If we failed to create a eventscript child context for some reason,
this would have talloc freed state, but at the same time it would also
implicitely have freed c.
Once ctdb_control_end_recovery() returns the error back to the caller,
the caller would dereference both c, and also outdata which is a child of c
and we would either read garbage data or segv.

Change the ordering so we only talloc_steal c as a child of state IFF
we have successfully created a child context for the script.

BZ61068

diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c
index 9020363016e11b785fc4060d308ac6ee6e9b10b1..ed5c22b699e0f744f43430012677ea5f56ab3fc6 100644 (file)
--- a/server/ctdb_recover.c
+++ b/server/ctdb_recover.c
@@ -967,7 +967,7 @@ int32_t ctdb_control_end_recovery(struct ctdb_context *ctdb,
        state = talloc(ctdb, struct recovery_callback_state);
        CTDB_NO_MEMORY(ctdb, state);
 
-       state->c    = talloc_steal(state, c);
+       state->c    = c;
 
        ctdb_disable_monitoring(ctdb);
 
@@ -986,6 +986,7 @@ int32_t ctdb_control_end_recovery(struct ctdb_context *ctdb,
        }
 
        /* tell the control that we will be reply asynchronously */
+       state->c    = talloc_steal(state, c);
        *async_reply = true;
        return 0;
 }