]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1848447)
Fix use-after-free during krad remote_shutdown()
authorRobbie Harwood <rharwood@redhat.com>
Sat, 29 May 2021 17:25:59 +0000 (13:25 -0400)
committerGreg Hudson <ghudson@mit.edu>
Thu, 1 Jul 2021 15:40:35 +0000 (11:40 -0400)
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.

ticket: 9015 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next

src/lib/krad/remote.c patch | blob | blame | history

diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index c96a9b4eebcefb96fd7fd4027088f3982a0c0aae..a938665f67d08e44b125ca0c2e5915c4e2dbfc49 100644 (file)
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -220,12 +220,12 @@ static void
 remote_shutdown(krad_remote *rr)
 {
     krb5_error_code retval;
-    request *r;
+    request *r, *next;
 
     remote_disconnect(rr);
 
     /* Start timers for all unsent packets. */
-    K5_TAILQ_FOREACH(r, &rr->list, list) {
+    K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
         if (r->timer == NULL) {
             retval = request_start_timer(r, rr->vctx);
             if (retval != 0)
Mirror of https://github.com/krb5/krb5.git