From 97a014bbe9f71049b20ba7ccebf799ee04766186 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Tue, 5 Mar 2024 04:03:05 -0500
Subject: [PATCH] rpcb_clnt.c: Eliminate double frees in delete_cache()
 (RHEL-11183)

commit 1d2e10afb2ffc35cb3623f57a15f712359f18e75
Author: Herb Wartens <wartens2@llnl.gov>
Date:   Tue Aug 1 10:36:16 2023 -0400

    rpcb_clnt.c: Eliminate double frees in delete_cache()

    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224666
    Signed-off-by: Steve Dickson <steved@redhat.com>

Signed-off-by: Steve Dickson <steved@redhat.com>
Resolves: RHEL-11183
---
 libtirpc-1.3.3-double-free.patch | 32 ++++++++++++++++++++++++++++++++
 libtirpc.spec                    |  6 +++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 libtirpc-1.3.3-double-free.patch

diff --git a/libtirpc-1.3.3-double-free.patch b/libtirpc-1.3.3-double-free.patch
new file mode 100644
index 0000000..a869b43
--- /dev/null
+++ b/libtirpc-1.3.3-double-free.patch
@@ -0,0 +1,32 @@
+commit 1d2e10afb2ffc35cb3623f57a15f712359f18e75
+Author: Herb Wartens <wartens2@llnl.gov>
+Date:   Tue Aug 1 10:36:16 2023 -0400
+
+    rpcb_clnt.c: Eliminate double frees in delete_cache()
+    
+    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224666
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c
+index c0a9e12..68fe69a 100644
+--- a/src/rpcb_clnt.c
++++ b/src/rpcb_clnt.c
+@@ -262,12 +262,15 @@ delete_cache(addr)
+ 	for (cptr = front; cptr != NULL; cptr = cptr->ac_next) {
+ 		if (!memcmp(cptr->ac_taddr->buf, addr->buf, addr->len)) {
+ 			/* Unlink from cache. We'll destroy it after releasing the mutex. */
+-			if (cptr->ac_uaddr)
++			if (cptr->ac_uaddr) {
+ 				free(cptr->ac_uaddr);
+-			if (prevptr)
++				cptr->ac_uaddr = NULL;
++			}
++			if (prevptr) {
+ 				prevptr->ac_next = cptr->ac_next;
+-			else
++			} else {
+ 				front = cptr->ac_next;
++			}
+ 			cachesize--;
+ 			break;
+ 		}
diff --git a/libtirpc.spec b/libtirpc.spec
index 72f0c7d..0f51735 100644
--- a/libtirpc.spec
+++ b/libtirpc.spec
@@ -2,7 +2,7 @@
 
 Name:			libtirpc
 Version:		1.3.3
-Release:		5%{?dist}
+Release:		6%{?dist}
 Summary:		Transport Independent RPC Library
 License:		SISSL and BSD
 URL:  			http://git.linux-nfs.org/?p=steved/libtirpc.git;a=summary
@@ -29,6 +29,7 @@ Patch003: libtirpc-1.3.3-dos-sleep.patch
 #
 Patch004: libtirpc-1.3.3-null-ptrs-not-reused.patch
 Patch005: libtirpc-1.3.3-gssd-context-creation.patch
+Patch006: libtirpc-1.3.3-double-free.patch
 
 %description
 This package contains SunLib's implementation of transport-independent
@@ -129,6 +130,9 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t
 %{_mandir}/*/*
 
 %changelog
+* Tue Mar  5 2024 Steve Dickson <steved@redhat.com> - 1.3.3-6
+- rpcb_clnt.c: Eliminate double frees in delete_cache() (RHEL-11183)
+
 * Mon Mar  4 2024 Steve Dickson <steved@redhat.com> - 1.3.3-5
 - Fix rpc_gss_seccreate() usage of the passed in gss credential. (RHEL-27936)