Fix use-after-free in thread group reconfiguration

If a thread group with no running threads is deconfigured,
it was freed before fetching the next node in the linked list.

This rare bug caused a crash in unit tests in OpenBSD.

diff --git a/sysdep/unix/io-loop.c b/sysdep/unix/io-loop.c
index 73914e9343693bdee5647ab291b461abb4379ad9..7e8b311450c2311528cae71853dfbf3b9c6cb76f 100644 (file)
--- a/sysdep/unix/io-loop.c
+++ b/sysdep/unix/io-loop.c
@@ -1403,7 +1403,7 @@ bird_thread_commit(struct config *new, struct config *old)
   ASSERT_DIE(new->default_thread_group);
   default_thread_group = new->default_thread_group->group;
 
-  WALK_TLIST(thread_group, gpub, &global_thread_group_list)
+  WALK_TLIST_DELSAFE(thread_group, gpub, &global_thread_group_list)
   {
     bool run_thread_dropper = false;
     TLIST_LIST(birdloop) *leftover_loops = NULL;