Fix: crmd: Prevent use-after-free when an unexpected remote client takes over #928
Conversation
| crm_err("Unexpected pacemaker_remote client takeover. Disconnecting"); | ||
| lrm_state_disconnect(lrm_state); | ||
| crm_err("Unexpected pacemaker_remote client takeover for %s. Disconnecting", op->remote_nodename); | ||
| /* In this case, lrmd_tls_connection_destroy() will be called under the control of mainloop. */ |
There was a problem hiding this comment.
When is the source removed from the mainloop?
There was a problem hiding this comment.
The source is removed by lrm_state_disconnect() -> lrmd_api_disconnect() -> lrmd_tls_disconnect() -> lrmd_tls_disconnect() -> mainloop_del_ipc_client() -> mainloop_del_fd().
But after the control was returned to mainloop, crmd dumped core:
#0 0x00007fc8ac999187 in raise () from /lib64/libc.so.6
#1 0x00007fc8ac99a538 in abort () from /lib64/libc.so.6
#2 0x00007fc8ac9d6804 in __libc_message () from /lib64/libc.so.6
#3 0x00007fc8ac9dc06e in malloc_printerr () from /lib64/libc.so.6
#4 0x00007fc8ac9dcd86 in _int_free () from /lib64/libc.so.6
#5 0x00007fc8acd0fee5 in lrmd_tls_connection_destroy (userdata=) at lrmd_client.c:547
#6 0x00007fc8ad16903d in mainloop_gio_destroy (c=0x271f220) at mainloop.c:744
#7 0x00007fc8ac6a9228 in ?? () from /usr/lib64/libglib-2.0.so.0
#8 0x00007fc8ac6ac272 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#9 0x00007fc8ac6ac4b8 in ?? () from /usr/lib64/libglib-2.0.so.0
#10 0x00007fc8ac6ac8ba in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
#11 0x000000000040715e in crmd_init () at main.c:154
#12 0x0000000000406f34 in main (argc=1, argv=0x7ffd1c433858) at main.c:121
|
Thanks for this investigation and fix. I'm surprised this situation wasn't considered in the design. |
Fix: crmd: Prevent use-after-free when an unexpected remote client takes over
No description provided.