[31016] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix use-after-free during krad remote_shutdown()
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jul 1 12:11:51 2021
Date: Thu, 1 Jul 2021 12:11:32 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <202107011611.161GBWnC018863@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/8c88defb16b34937d5b72b4832c854ce2dbe32d1
commit 8c88defb16b34937d5b72b4832c854ce2dbe32d1
Author: Robbie Harwood <rharwood@redhat.com>
Date: Sat May 29 13:25:59 2021 -0400
Fix use-after-free during krad remote_shutdown()
Since elements of the queue can be removed on out-of-memory errors,
the correct call is K5_TAILQ_FOREACH_SAFE, not K5_TAILQ_FOREACH.
Reported by Coverity.
ticket: 9015 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
src/lib/krad/remote.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index c96a9b4..a938665 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -220,12 +220,12 @@ static void
remote_shutdown(krad_remote *rr)
{
krb5_error_code retval;
- request *r;
+ request *r, *next;
remote_disconnect(rr);
/* Start timers for all unsent packets. */
- K5_TAILQ_FOREACH(r, &rr->list, list) {
+ K5_TAILQ_FOREACH_SAFE(r, &rr->list, list, next) {
if (r->timer == NULL) {
retval = request_start_timer(r, rr->vctx);
if (retval != 0)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
