client: fix use-after-free for client timeout

We free the reply, but if it times out, we dereference it afterwards.
Store the opcode before calling into handle_cmd_timeout().

Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/client.c b/client.c
index 3b54bfdfe6e183b5b0428d0b0fb09b2db5e0fe79..2b136a0fc06950802dd0bf4ce7c2eb8f4d676005 100644 (file)
--- a/client.c
+++ b/client.c
@@ -1903,16 +1903,19 @@ static int client_check_cmd_timeout(struct fio_client *client,
        int ret = 0;
 
        flist_for_each_safe(entry, tmp, &client->cmd_list) {
+               unsigned int op;
+
                reply = flist_entry(entry, struct fio_net_cmd_reply, list);
 
                if (mtime_since(&reply->ts, now) < FIO_NET_CLIENT_TIMEOUT)
                        continue;
 
+               op = reply->opcode;
                if (!handle_cmd_timeout(client, reply))
                        continue;
 
                log_err("fio: client %s, timeout on cmd %s\n", client->hostname,
-                                               fio_server_op(reply->opcode));
+                                               fio_server_op(op));
                ret = 1;
        }