From: Alain Spineux Date: Fri, 15 Mar 2024 15:27:26 +0000 (+0100) Subject: could: Fix 10788 cloud volume deletion crash X-Git-Tag: Release-15.0.2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40f8a6acb37ff8e54d2b153fbac34737a125847b;p=thirdparty%2Fbacula.git could: Fix 10788 cloud volume deletion crash - the problem is about iterating up to including parts.last_index() using parts.get(parts.last_index()) is a mistake !!! it works most of the time because most of the time this value is NULL and the code does a continue BUT when parts.last_index() == parts.max_size(), then parts.get(parts.last_index()) is out of the allocated memory and can contain garbage - why is the code doing a "continue" ? Is it expected to have a NULL ? in the list ? in clean_cloud_volume_read_cb() that fill the list, there is no raison to have NULL ? With the bug, testing for NULL will save us 99% of the time Without the bug we can reach 100% :-) --- diff --git a/bacula/src/stored/generic_driver.c b/bacula/src/stored/generic_driver.c index 877dc02d8..e484a6305 100644 --- a/bacula/src/stored/generic_driver.c +++ b/bacula/src/stored/generic_driver.c @@ -1126,10 +1126,7 @@ bool generic_driver::clean_cloud_volume(const char *VolumeName, cleanup_cb_type int rtn=0; int i; - for (i=0; (i <= (int)parts.last_index()); i++) { - if (!parts.get(i)) { - continue; - } + for (i=0; i < parts.last_index(); i++) { int r = call_fct("delete", VolumeName, (char*)parts.get(i), NULL, NULL, cancel_cb, err); if (r == 0) { Dmsg2(dbglvl, "clean_cloud_volume for %s: Unlink file %s.\n", VolumeName, (char*)parts.get(i));