bdev/nvme: fix use-after-free in mdns_resolve_callback()

If we find that the discovery entry already exists, a single break doesn't work - that just breaks out of the TAILQ_FOREACH. So instead change it to free the resolver object and return directly. Fixes issue #2945. Signed-off-by: Jim Harris <james.r.harris@intel.com> Change-Id: Ia31d6ecfa4fdc0a168eecc8ec4659da10a870770 Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/17209 Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com> Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com> Reviewed-by: Karol Latecki <karol.latecki@intel.com>
2023-03-15 16:27:28 +00:00 · 2023-03-15 16:27:28 +00:00 · 0bd1ca9dc1
commit 0bd1ca9dc1
parent 7c3c0b6630
1 changed files with 2 additions and 1 deletions
--- a/module/bdev/nvme/bdev_mdns_client.c
+++ b/module/bdev/nvme/bdev_mdns_client.c
@ -325,7 +325,8 @@ mdns_resolve_callback(
 				free(trid);
 				avahi_free(subnqn);
 				avahi_free(proto);
-				break;
+				avahi_service_resolver_free(r);
+				return;
 			}
 		}
 		entry_ctx = create_mdns_discovery_entry_ctx(ctx, trid);