Fix use-after-free during krad remote_shutdown()

Since elements of the queue can be removed on out-of-memory errors, the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH. Reported by Coverity. (cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1) ticket: 9015 version_fixed: 1.18.4
author: Robbie Harwood <rharwood@redhat.com> 2021-05-29 13:25:59 -0400
committer: Greg Hudson <ghudson@mit.edu> 2021-07-12 12:00:32 -0400
commit: ed1ee79e90ccf485eed370dbda83829046502139 (patch)
tree: e60c5bef01ee696986278ac28ead060ef27dd001
parent: 4abb051f76ae8f55247875a68f424a62a6315ec0 (diff)
download: krb5-ed1ee79e90ccf485eed370dbda83829046502139.zip
krb5-ed1ee79e90ccf485eed370dbda83829046502139.tar.gz
krb5-ed1ee79e90ccf485eed370dbda83829046502139.tar.bz2
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index 437f7e9..12e33cf 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -220,12 +220,12 @@ static void
 remote_shutdown(krad_remote *rr)
 {
     krb5_error_code retval;
-    request *r;
+    request *r, *next;
 
     remote_disconnect(rr);
 
     /* Start timers for all unsent packets. */
-    K5_TAILQ_FOREACH(r, &rr->list, list) {
+    K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
         if (r->timer == NULL) {
             retval = request_start_timer(r, rr->vctx);
             if (retval != 0)
author	Robbie Harwood <rharwood@redhat.com>	2021-05-29 13:25:59 -0400
committer	Greg Hudson <ghudson@mit.edu>	2021-07-12 12:00:32 -0400
commit	ed1ee79e90ccf485eed370dbda83829046502139 (patch)
tree	e60c5bef01ee696986278ac28ead060ef27dd001
parent	4abb051f76ae8f55247875a68f424a62a6315ec0 (diff)
download	krb5-ed1ee79e90ccf485eed370dbda83829046502139.zip krb5-ed1ee79e90ccf485eed370dbda83829046502139.tar.gz krb5-ed1ee79e90ccf485eed370dbda83829046502139.tar.bz2