[master] cf2c6b9 Fix a NULL pointer deref in LRU.

Poul-Henning Kamp phk at FreeBSD.org
Tue Dec 3 12:41:08 CET 2013 

commit cf2c6b97c0a0018ff4eea475d919fabaacbf856c
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Tue Dec 3 11:40:40 2013 +0000

    Fix a NULL pointer deref in LRU.
    
    Spotted by: c0004x.vtc on slow machines.

diff --git a/bin/varnishd/cache/cache_expire.c b/bin/varnishd/cache/cache_expire.c
index 88d49fb..75364fd 100644
--- a/bin/varnishd/cache/cache_expire.c
+++ b/bin/varnishd/cache/cache_expire.c
@@ -331,6 +331,8 @@ EXP_NukeOne(struct busyobj *bo, struct lru *lru)
 
 	VSLb(bo->vsl, SLT_ExpKill, "LRU x=%u",
 	    oc_getxid(bo->stats, oc) & VSL_IDENTMASK);
+	AN(bo->stats);
+	AN(oc);
 	(void)HSH_DerefObjCore(bo->stats, &oc);
 	return (1);
 }
diff --git a/bin/varnishd/cache/cache_fetch.c b/bin/varnishd/cache/cache_fetch.c
index 8a738cc..e8b4914 100644
--- a/bin/varnishd/cache/cache_fetch.c
+++ b/bin/varnishd/cache/cache_fetch.c
@@ -384,8 +384,8 @@ vbf_stp_fetch(struct worker *wrk, struct busyobj *bo)
 		bo->exp.keep = 0.0;
 		obj = STV_NewObject(bo, TRANSIENT_STORAGE, l, nhttp);
 	}
-	bo->stats = NULL;
 	if (obj == NULL) {
+		bo->stats = NULL;
 		(void)VFP_Error(bo, "Could not get storage");
 		VDI_CloseFd(&bo->vbc);
 		return (F_STP_DONE);
@@ -459,6 +459,8 @@ vbf_stp_fetch(struct worker *wrk, struct busyobj *bo)
 		break;
 	}
 
+	bo->stats = NULL;
+
 	bo->t_body = VTIM_mono();
 
 	if (bo->vbc != NULL) {
diff --git a/bin/varnishd/cache/cache_fetch_proc.c b/bin/varnishd/cache/cache_fetch_proc.c
index 9021e6b..e170d89 100644
--- a/bin/varnishd/cache/cache_fetch_proc.c
+++ b/bin/varnishd/cache/cache_fetch_proc.c
@@ -178,6 +178,7 @@ VFP_GetStorage(struct busyobj *bo, ssize_t sz)
 	if (st != NULL && st->len < st->space)
 		return (st);
 
+	AN(bo->stats);
 	l = fetchfrag;
 	if (l == 0)
 		l = sz;
diff --git a/bin/varnishd/storage/stevedore.c b/bin/varnishd/storage/stevedore.c
index dd9d7d3..c54b982 100644
--- a/bin/varnishd/storage/stevedore.c
+++ b/bin/varnishd/storage/stevedore.c
@@ -202,6 +202,7 @@ stv_alloc_obj(struct busyobj *bo, size_t size)
 	 * Always use the stevedore which allocated the object in order to
 	 * keep an object inside the same stevedore.
 	 */
+	AN(bo->stats);
 	CHECK_OBJ_NOTNULL(bo, BUSYOBJ_MAGIC);
 	obj = bo->fetch_obj;
 	CHECK_OBJ_NOTNULL(obj, OBJECT_MAGIC);

More information about the varnish-commit mailing list