Fix possible infinite loops and use-after-free

Error: USE_AFTER_FREE (CWE-416): [#def1]
libslirp-4.3.0/src/ip_icmp.c:79: freed_arg: "icmp_detach" frees "slirp->icmp.so_next".
libslirp-4.3.0/src/ip_icmp.c:79: deref_arg: Calling "icmp_detach" dereferences freed pointer "slirp->icmp.so_next".
   77|   {
   78|       while (slirp->icmp.so_next != &slirp->icmp) {
   79|->         icmp_detach(slirp->icmp.so_next);
   80|       }
   81|   }

Error: USE_AFTER_FREE (CWE-416): [#def27]
libslirp-4.3.0/src/udp.c:56: freed_arg: "udp_detach" frees "slirp->udb.so_next".
libslirp-4.3.0/src/udp.c:56: deref_arg: Calling "udp_detach" dereferences freed pointer "slirp->udb.so_next".
   54|   {
   55|       while (slirp->udb.so_next != &slirp->udb) {
   56|->         udp_detach(slirp->udb.so_next);
   57|       }
   58|   }

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

2 files changed, 9 insertions, 3 deletions

diff --git a/src/ip_icmp.c b/src/ip_icmp.c
index fe0add4..7533595 100644
--- a/src/ip_icmp.c
+++ b/src/ip_icmp.c
@@ -75,8 +75,11 @@ void icmp_init(Slirp *slirp)
 
 void icmp_cleanup(Slirp *slirp)
 {
-    while (slirp->icmp.so_next != &slirp->icmp) {
-        icmp_detach(slirp->icmp.so_next);
+    struct socket *so, *so_next;
+
+    for (so = slirp->icmp.so_next; so != &slirp->icmp; so = so_next) {
+        so_next = so->so_next;
+        icmp_detach(so);
     }
 }
 
diff --git a/src/udp.c b/src/udp.c
index 6bde20f..9ed1e74 100644
--- a/src/udp.c
+++ b/src/udp.c
@@ -52,7 +52,10 @@ void udp_init(Slirp *slirp)
 
 void udp_cleanup(Slirp *slirp)
 {
-    while (slirp->udb.so_next != &slirp->udb) {
+    struct socket *so, *so_next;
+
+    for (so = slirp->udb.so_next; so != &slirp->udb; so = so_next) {
+        so_next = so->so_next;
         udp_detach(slirp->udb.so_next);
     }
 }