From 0bd1ca9dc1c4566e623f5b7de61788078f3f9d75 Mon Sep 17 00:00:00 2001
From: Jim Harris <james.r.harris@intel.com>
Date: Wed, 15 Mar 2023 16:27:28 +0000
Subject: [PATCH] bdev/nvme: fix use-after-free in mdns_resolve_callback()

If we find that the discovery entry already exists, a
single break doesn't work - that just breaks out of
the TAILQ_FOREACH.  So instead change it to free
the resolver object and return directly.

Fixes issue #2945.

Signed-off-by: Jim Harris <james.r.harris@intel.com>
Change-Id: Ia31d6ecfa4fdc0a168eecc8ec4659da10a870770
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/17209
Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com>
Reviewed-by: Karol Latecki <karol.latecki@intel.com>
---
 module/bdev/nvme/bdev_mdns_client.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/module/bdev/nvme/bdev_mdns_client.c b/module/bdev/nvme/bdev_mdns_client.c
index f01d60214..be382e6f4 100644
--- a/module/bdev/nvme/bdev_mdns_client.c
+++ b/module/bdev/nvme/bdev_mdns_client.c
@@ -325,7 +325,8 @@ mdns_resolve_callback(
 				free(trid);
 				avahi_free(subnqn);
 				avahi_free(proto);
-				break;
+				avahi_service_resolver_free(r);
+				return;
 			}
 		}
 		entry_ctx = create_mdns_discovery_entry_ctx(ctx, trid);