libceph: NULL deref on osdmap_apply_incremental() error path
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 13 Jul 2017 07:45:17 +0000 (10:45 +0300)
committerIlya Dryomov <idryomov@gmail.com>
Mon, 17 Jul 2017 12:54:58 +0000 (14:54 +0200)
There are hidden gotos in the ceph_decode_* macros.  We need to set the
"err" variable on these error paths otherwise we end up returning
ERR_PTR(0) which is NULL.  It causes NULL dereferences in the callers.

Fixes: 6f428df47dae ("libceph: pg_upmap[_items] infrastructure")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[idryomov@gmail.com: similar bug in osdmap_decode(), changelog tweak]
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
net/ceph/osdmap.c

index 864789c5974e072698841bf6207e9f044e2b8a78..3ffc7a1fd8b1585ab6bec549490e9d89185e0825 100644 (file)
@@ -1544,7 +1544,7 @@ static int osdmap_decode(void **p, void *end, struct ceph_osdmap *map)
        if (struct_v >= 3) {
                /* erasure_code_profiles */
                ceph_decode_skip_map_of_map(p, end, string, string, string,
-                                           bad);
+                                           e_inval);
        }
 
        if (struct_v >= 4) {
@@ -1825,9 +1825,9 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
        if (struct_v >= 3) {
                /* new_erasure_code_profiles */
                ceph_decode_skip_map_of_map(p, end, string, string, string,
-                                           bad);
+                                           e_inval);
                /* old_erasure_code_profiles */
-               ceph_decode_skip_set(p, end, string, bad);
+               ceph_decode_skip_set(p, end, string, e_inval);
        }
 
        if (struct_v >= 4) {