Fix use-after-free in thread group reconfiguration

If a thread group with no running threads is deconfigured,
it was freed before fetching the next node in the linked list.

This rare bug caused a crash in unit tests in OpenBSD.

diff --git a/sysdep/unix/io-loop.c b/sysdep/unix/io-loop.c
index 3be4a4ef6372fd16da6a929a47ba48a48f8dc817..431994357ff7e63f422bcc8e0f56c4b62d046a21 100644 (file)
--- a/sysdep/unix/io-loop.c
+++ b/sysdep/unix/io-loop.c
@@ -1371,7 +1371,7 @@ bird_thread_commit(struct config *new, struct config *old)
   ASSERT_DIE(new->default_thread_group);
   default_thread_group = new->default_thread_group->group;
 
-  WALK_TLIST(thread_group, gpub, &global_thread_group_list)
+  WALK_TLIST_DELSAFE(thread_group, gpub, &global_thread_group_list)
   {
     bool run_thread_dropper = false;
     TLIST_LIST(birdloop) *leftover_loops = NULL;