From 237e8598ca77b454bc04755f56f82d53ab25c745 Mon Sep 17 00:00:00 2001 From: Maria Matejka Date: Fri, 9 May 2025 22:09:18 +0200 Subject: [PATCH] Fix use-after-free in thread group reconfiguration If a thread group with no running threads is deconfigured, it was freed before fetching the next node in the linked list. This rare bug caused a crash in unit tests in OpenBSD. --- sysdep/unix/io-loop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysdep/unix/io-loop.c b/sysdep/unix/io-loop.c index 73914e934..7e8b31145 100644 --- a/sysdep/unix/io-loop.c +++ b/sysdep/unix/io-loop.c @@ -1403,7 +1403,7 @@ bird_thread_commit(struct config *new, struct config *old) ASSERT_DIE(new->default_thread_group); default_thread_group = new->default_thread_group->group; - WALK_TLIST(thread_group, gpub, &global_thread_group_list) + WALK_TLIST_DELSAFE(thread_group, gpub, &global_thread_group_list) { bool run_thread_dropper = false; TLIST_LIST(birdloop) *leftover_loops = NULL; -- 2.47.2