From: Maria Matejka <mq@ucw.cz>
Date: Fri, 9 May 2025 20:09:18 +0000 (+0200)
Subject: Fix use-after-free in thread group reconfiguration
X-Git-Tag: v3.1.1~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=147629442f7c9a988ca8e2ed264b303b0bf13067;p=thirdparty%2Fbird.git

Fix use-after-free in thread group reconfiguration

If a thread group with no running threads is deconfigured,
it was freed before fetching the next node in the linked list.

This rare bug caused a crash in unit tests in OpenBSD.
---

diff --git a/sysdep/unix/io-loop.c b/sysdep/unix/io-loop.c
index 3be4a4ef6..431994357 100644
--- a/sysdep/unix/io-loop.c
+++ b/sysdep/unix/io-loop.c
@@ -1371,7 +1371,7 @@ bird_thread_commit(struct config *new, struct config *old)
   ASSERT_DIE(new->default_thread_group);
   default_thread_group = new->default_thread_group->group;
 
-  WALK_TLIST(thread_group, gpub, &global_thread_group_list)
+  WALK_TLIST_DELSAFE(thread_group, gpub, &global_thread_group_list)
   {
     bool run_thread_dropper = false;
     TLIST_LIST(birdloop) *leftover_loops = NULL;