diff options
author | Robbie Harwood <rharwood@redhat.com> | 2021-05-29 13:25:59 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2021-07-12 12:00:32 -0400 |
commit | ed1ee79e90ccf485eed370dbda83829046502139 (patch) | |
tree | e60c5bef01ee696986278ac28ead060ef27dd001 | |
parent | 4abb051f76ae8f55247875a68f424a62a6315ec0 (diff) | |
download | krb5-ed1ee79e90ccf485eed370dbda83829046502139.zip krb5-ed1ee79e90ccf485eed370dbda83829046502139.tar.gz krb5-ed1ee79e90ccf485eed370dbda83829046502139.tar.bz2 |
Fix use-after-free during krad remote_shutdown()
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1)
ticket: 9015
version_fixed: 1.18.4
-rw-r--r-- | src/lib/krad/remote.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c index 437f7e9..12e33cf 100644 --- a/src/lib/krad/remote.c +++ b/src/lib/krad/remote.c @@ -220,12 +220,12 @@ static void remote_shutdown(krad_remote *rr) { krb5_error_code retval; - request *r; + request *r, *next; remote_disconnect(rr); /* Start timers for all unsent packets. */ - K5_TAILQ_FOREACH(r, &rr->list, list) { + K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) { if (r->timer == NULL) { retval = request_start_timer(r, rr->vctx); if (retval != 0) |