From 0bb6cf83fb6b1f80c99beb11cd47e0db02e252ff Mon Sep 17 00:00:00 2001
From: Oliver Kurth <okurth@vmware.com>
Date: Fri, 22 Nov 2019 14:52:35 -0800
Subject: [PATCH] Fix a potential NULL pointer dereference in the vmbackup
 plugin.

In some circumtances, VmBackupAsyncCallback might dereference
gBackupState after calling VmBackupDoAbort even though the
latter function can potentially set gBackupState to NULL.  Add
a check to prevent the potential NULL pointer dereference.
---
 open-vm-tools/services/plugins/vmbackup/stateMachine.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/open-vm-tools/services/plugins/vmbackup/stateMachine.c b/open-vm-tools/services/plugins/vmbackup/stateMachine.c
index 6b422869a..5c01a7bc3 100644
--- a/open-vm-tools/services/plugins/vmbackup/stateMachine.c
+++ b/open-vm-tools/services/plugins/vmbackup/stateMachine.c
@@ -675,6 +675,15 @@ VmBackupAsyncCallback(void *clientData)
       if (gBackupState->rpcState == VMBACKUP_RPC_STATE_ERROR) {
          g_warning("Aborting backup operation due to RPC errors.");
          VmBackupDoAbort();
+
+         /*
+          * Check gBackupState, since the abort could cause a transition to
+          * VMBACKUP_MSTATE_IDLE, in which case the VmBackupState structure
+          * would be freed and gBackupState would be NULL.
+          */
+         if (gBackupState == NULL) {
+            return FALSE;
+         }
          goto exit;
       }
    }
-- 
2.47.3