From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Thu, 18 Dec 2014 14:36:23 +0000 (-0800)
Subject: Deleting first fs left psstate->servers pointing to uninitialized memory
X-Git-Tag: SQUID_3_4_11~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd46ce1d7042c19545f4d94d4014a2c81d907629;p=thirdparty%2Fsquid.git

Deleting first fs left psstate->servers pointing to uninitialized memory

 ... possibly causing infinite loops in peerAddFwdServer().

TODO: The condition itself is excessive. If fs is not nil, the previous check
already tells us that the Config.forward_max_tries limit is exceeded.
---

diff --git a/src/peer_select.cc b/src/peer_select.cc
index 19e337105a..9c26a20c57 100644
--- a/src/peer_select.cc
+++ b/src/peer_select.cc
@@ -271,11 +271,12 @@ peerSelectDnsPaths(ps_state *psstate)
     // due to the allocation method of fs, we must deallocate each manually.
     // TODO: use a std::list so we can get the size and abort adding whenever the selection loops reach Config.forward_max_tries
     if (fs && psstate->paths->size() >= (unsigned int)Config.forward_max_tries) {
+        assert(fs == psstate->servers);
         while (fs) {
-            FwdServer *next = fs->next;
+            psstate->servers = fs->next;
             cbdataReferenceDone(fs->_peer);
             memFree(fs, MEM_FWD_SERVER);
-            fs = next;
+            fs = psstate->servers;
         }
     }