39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
From bcd7b5e8aa0d325e9b178d9be3459759d39b631e Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Sat, 29 May 2021 13:25:59 -0400
|
|
Subject: [PATCH] Fix use-after-free during krad remote_shutdown()
|
|
|
|
Since elements of the queue can be removed on out-of-memory errors,
|
|
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
|
|
Reported by Coverity.
|
|
|
|
ticket: 9015 (new)
|
|
tags: pullup
|
|
target_version: 1.19-next
|
|
target_version: 1.18-next
|
|
|
|
(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1)
|
|
---
|
|
src/lib/krad/remote.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
|
index eca432424..7b5804b1d 100644
|
|
--- a/src/lib/krad/remote.c
|
|
+++ b/src/lib/krad/remote.c
|
|
@@ -220,12 +220,12 @@ static void
|
|
remote_shutdown(krad_remote *rr)
|
|
{
|
|
krb5_error_code retval;
|
|
- request *r;
|
|
+ request *r, *next;
|
|
|
|
remote_disconnect(rr);
|
|
|
|
/* Start timers for all unsent packets. */
|
|
- K5_TAILQ_FOREACH(r, &rr->list, list) {
|
|
+ K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
|
|
if (r->timer == NULL) {
|
|
retval = request_start_timer(r, rr->vctx);
|
|
if (retval != 0)
|