From: Robbie Harwood <rharwood@redhat.com>
Date: Sat, 29 May 2021 17:25:59 +0000 (-0400)
Subject: Fix use-after-free during krad remote_shutdown()
X-Git-Tag: krb5-1.20-beta1~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c88defb16b34937d5b72b4832c854ce2dbe32d1;p=thirdparty%2Fkrb5.git

Fix use-after-free during krad remote_shutdown()

Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.

ticket: 9015 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
---

diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index c96a9b4eeb..a938665f67 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -220,12 +220,12 @@ static void
 remote_shutdown(krad_remote *rr)
 {
     krb5_error_code retval;
-    request *r;
+    request *r, *next;
 
     remote_disconnect(rr);
 
     /* Start timers for all unsent packets. */
-    K5_TAILQ_FOREACH(r, &rr->list, list) {
+    K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
         if (r->timer == NULL) {
             retval = request_start_timer(r, rr->vctx);
             if (retval != 0)