[Bugs] [Bug 1218381] rpc: Memory corruption because rpcsvc_register_notify interprets opaque mydata argument as xlator pointer

bugzilla at redhat.com bugzilla at redhat.com
Tue May 5 13:29:25 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1218381



--- Comment #2 from Anand Avati <aavati at redhat.com> ---
COMMIT: http://review.gluster.org/10534 committed in release-3.7 by Vijay
Bellur (vbellur at redhat.com) 
------
commit 783d78de250ba4159e5c59cdf476305ccb0814ec
Author: Kotresh HR <khiremat at redhat.com>
Date:   Fri Apr 24 17:31:03 2015 +0530

    rpc: Maintain separate xlator pointer in 'rpcsvc_state'

    The structure 'rpcsvc_state', which maintains rpc server
    state had no separate pointer to track the translator.
    It was using the mydata pointer itself. So callers were
    forced to send xlator pointer as mydata which is opaque
    (void pointer) by function prototype.

    'rpcsvc_register_init' is setting svc->mydata with xlator
    pointer. 'rpcsvc_register_notify' is overwriting svc->mydata
    with mydata pointer. And rpc interprets svc->mydata as
    xlator pointer internally. If someone passes non xlator
    structure pointer to rpcsvc_register_notify as libgfchangelog
    currently does, it might corrupt mydata. So interpreting opaque
    mydata as xlator pointer is incorrect as it is caller's choice
    to send mydata as any type of data to 'rpcsvc_register_notify'.

    Maintaining two different pointers in 'rpcsvc_state' for xlator
    and mydata solves the issue.

    BUG: 1218381
    Change-Id: I4c28937a30845e3f41b6fc7a09036149c816659b
    Signed-off-by: Kotresh HR <khiremat at redhat.com>
    Reviewed-on: http://review.gluster.org/10366
    Reviewed-on: http://review.gluster.org/10534
    Tested-by: Gluster Build System <jenkins at build.gluster.com>
    Tested-by: NetBSD Build System
    Reviewed-by: Aravinda VK <avishwan at redhat.com>
    Reviewed-by: Vijay Bellur <vbellur at redhat.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=XCXrgjaC9J&a=cc_unsubscribe

More information about the Bugs mailing list