From: Wayne Davison <wayne@opencoder.net>
Date: Tue, 7 Jul 2020 21:18:28 +0000 (-0700)
Subject: Fix an xattr free of the wrong object.
X-Git-Tag: v3.2.3pre1~121
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb6fabc116ec12b238c081b3fb57ab33e8eee0aa;p=thirdparty%2Frsync.git

Fix an xattr free of the wrong object.

In uncache_tmp_xattrs() the code used to find the value to unlink,
update the single-linked list, and then free the wrong pointer.
This fixes bug #50.
---

diff --git a/NEWS.md b/NEWS.md
index 440b8bdc..a3716df5 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -8,6 +8,9 @@
 
  - Fixed the specifying of --bwlimit=0 for the default (unlimited).
 
+ - Fixed a bug in the xattr code that was freeing the wrong object when trying
+   to cleanup the xattr list.
+
 ### ENHANCEMENTS:
 
  - Allow `--max-alloc=0` to specify no limit.
diff --git a/xattrs.c b/xattrs.c
index b3f0c1a3..a7d7d5ab 100644
--- a/xattrs.c
+++ b/xattrs.c
@@ -922,17 +922,16 @@ void uncache_tmp_xattrs(void)
 				continue;
 			}
 
-			while (ref != NULL) {
-				if (ref->next == NULL) {
-					ref = NULL;
+			while (1) {
+				rsync_xa_list_ref *next = ref->next;
+				if (next == NULL)
 					break;
-				}
-				if (xa_list_item->ndx == ref->next->ndx) {
-					ref->next = ref->next->next;
-					free(ref);
+				if (xa_list_item->ndx == next->ndx) {
+					ref->next = next->next;
+					free(next);
 					break;
 				}
-				ref = ref->next;
+				ref = next;
 			}
 		}
 		prior_xattr_count = (size_t)-1;