diff options
| author | Robbie Harwood <rharwood@redhat.com> | 2021-05-29 13:25:59 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2021-07-12 12:00:30 -0400 |
| commit | d8c95fe992fe7e0d9314a28364fc26992f1da628 (patch) | |
| tree | 635aeb9dd6c52dcdbcabd708097d98d6cac97886 | |
| parent | 5cf95e57e1a45f20d6ae1ea8232c1511f4b1940b (diff) | |
| download | krb5-d8c95fe992fe7e0d9314a28364fc26992f1da628.zip krb5-d8c95fe992fe7e0d9314a28364fc26992f1da628.tar.gz krb5-d8c95fe992fe7e0d9314a28364fc26992f1da628.tar.bz2 | |
Fix use-after-free during krad remote_shutdown()
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
(cherry picked from commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1)
ticket: 9015
version_fixed: 1.19.2
| -rw-r--r-- | src/lib/krad/remote.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c index c96a9b4..a938665 100644 --- a/src/lib/krad/remote.c +++ b/src/lib/krad/remote.c @@ -220,12 +220,12 @@ static void remote_shutdown(krad_remote *rr) { krb5_error_code retval; - request *r; + request *r, *next; remote_disconnect(rr); /* Start timers for all unsent packets. */ - K5_TAILQ_FOREACH(r, &rr->list, list) { + K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) { if (r->timer == NULL) { retval = request_start_timer(r, rr->vctx); if (retval != 0) |