DAOS-16251 mgmt: Fix use-after-free in pool_list (#15014)

In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after calling crt_req_decref on rpc is a use-after-free. Signed-off-by: Li Wei <[email protected]>
daos-stack · Aug 28, 2024 · 663237c · 663237c
1 parent 20f7361
commit 663237c
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/mgmt/cli_mgmt.c b/src/mgmt/cli_mgmt.c
@@ -1367,8 +1367,8 @@ dc_mgmt_pool_list(tse_task_t *task)
 	rc = daos_rpc_send_wait(rpc);
 	if (rc != 0) {
 		DL_ERROR(rc, "rpc send failed");
-		crt_req_decref(rpc);
 		wipe_cred_iov(&in->pli_cred);
+		crt_req_decref(rpc);
 		goto rechoose;
 	}
 
@@ -1377,8 +1377,8 @@ dc_mgmt_pool_list(tse_task_t *task)
 
 	rc = rsvc_client_complete_rpc(&ms_client, &ep, rc, out->plo_op.mo_rc, &out->plo_op.mo_hint);
 	if (rc == RSVC_CLIENT_RECHOOSE) {
-		crt_req_decref(rpc);
 		wipe_cred_iov(&in->pli_cred);
+		crt_req_decref(rpc);
 		goto rechoose;
 	}
 
@@ -1430,8 +1430,8 @@ dc_mgmt_pool_list(tse_task_t *task)
 	if (rc != 0)
 		DL_ERROR(rc, "failed to list pools");
 
-	crt_req_decref(rpc);
 	wipe_cred_iov(&in->pli_cred);
+	crt_req_decref(rpc);
 out_client:
 	rsvc_client_fini(&ms_client);
 out_grp: