krb5/Fix-use-after-free-during-krad-remote_shutdown.patch
2021-07-01 13:17:47 -04:00

39 lines
1.2 KiB
Diff

From bcd7b5e8aa0d325e9b178d9be3459759d39b631e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 29 May 2021 13:25:59 -0400
Subject: [PATCH] Fix use-after-free during krad remote_shutdown()
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
ticket: 9015 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1)
---
src/lib/krad/remote.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index eca432424..7b5804b1d 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -220,12 +220,12 @@ static void
remote_shutdown(krad_remote *rr)
{
krb5_error_code retval;
- request *r;
+ request *r, *next;
remote_disconnect(rr);
/* Start timers for all unsent packets. */
- K5_TAILQ_FOREACH(r, &rr->list, list) {
+ K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
if (r->timer == NULL) {
retval = request_start_timer(r, rr->vctx);
if (retval != 0)