protocol/client: prevent use-after-free of frame->root

A regression failure generated a coredump on the glusterfs-client side:

  (gdb) f 0
  #0  0x00007fba6cd76432 in client_submit_request (this=0x7fba68006fc0,
                  req=0x7fba6579aa70, frame=0x7fba5c0058cc,
                  prog=0x7fba6cfb53c0 <clnt3_3_fop_prog>, procnum=41,
                  cbkfn=0x7fba6cd9206d <client3_3_release_cbk>,
                  iobref=0x0, rsphdr=0x0, rsphdr_count=0,
                  rsp_payload=0x0, rsp_payload_count=0, rsp_iobref=0x0,
                  xdrproc=0x7fba79801075 <xdr_gfs3_release_req>) at
  /home/jenkins/root/workspace/rackspace-regression-2GB-triggered/xlators/protocol/client/src/client.c:324
  324                   frame->root->ngrps = ngroups;
  (gdb) l
  319                   gf_msg_debug (this->name, 0, "rpc_clnt_submit failed");
  320           }
  321
  322           if (!conf->send_gids) {
  323                   /* restore previous values */
  324                   frame->root->ngrps = ngroups;
  325                   if (ngroups <= SMALL_GROUP_COUNT)
  326                           frame->root->groups_small[0] = gid;
  327           }
  328
  (gdb) p *frame->root
  Cannot access memory at address 0x64185df000000000

After looking at this in more detail, the flow is like this:

  client_submit_request()
    |
    '- rpc_clnt_submit() // on line 314
         |
         '- cbkfn() // = client3_3_release_cbk
              |
              :- STACK_DESTROY (frame->root);
         .----'
    .----'
    |
    :- frame->root->ngrps = ngroups; // on line 324
    '

So, there is a use-after-free, and it is not needed to restore the
previous groups in frame->root.

Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2
BUG: 128128
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: http://review.gluster.org/12575
Reviewed-by: Dan Lambright <dlambrig@redhat.com>
Tested-by: NetBSD Build System <jenkins@build.gluster.org>
Reviewed-by: Jeff Darcy <jdarcy@redhat.com>

diff --git a/xlators/protocol/client/src/client.c b/xlators/protocol/client/src/client.c
index dc3b75d4b2c74b480d51c97b3f851764303e06aa..39ac7c379da88370752e89956fa746ba139efcec 100644 (file)
--- a/xlators/protocol/client/src/client.c
+++ b/xlators/protocol/client/src/client.c
@@ -228,8 +228,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame,
         struct iobref  *new_iobref = NULL;
         ssize_t         xdr_size   = 0;
         struct rpc_req  rpcreq     = {0, };
-        uint64_t        ngroups    = 0;
-        uint64_t        gid        = 0;
 
         GF_VALIDATE_OR_GOTO ("client", this, out);
         GF_VALIDATE_OR_GOTO (this->name, prog, out);
@@ -300,14 +298,11 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame,
 
         /* do not send all groups if they are resolved server-side */
         if (!conf->send_gids) {
-                /* copy some values for restoring later */
-                ngroups = frame->root->ngrps;
-                frame->root->ngrps = 1;
-                if (ngroups <= SMALL_GROUP_COUNT) {
-                        gid = frame->root->groups_small[0];
+                if (frame->root->ngrps <= SMALL_GROUP_COUNT) {
                         frame->root->groups_small[0] = frame->root->gid;
                         frame->root->groups = frame->root->groups_small;
                 }
+                frame->root->ngrps = 1;
         }
 
         /* Send the msg */
@@ -319,13 +314,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame,
                 gf_msg_debug (this->name, 0, "rpc_clnt_submit failed");
         }
 
-        if (!conf->send_gids) {
-                /* restore previous values */
-                frame->root->ngrps = ngroups;
-                if (ngroups <= SMALL_GROUP_COUNT)
-                        frame->root->groups_small[0] = gid;
-        }
-
         ret = 0;
 
         if (new_iobref)