autofs-5.1.1 - fix use-after-free in st_queue_handler()
From: Frank Sorenson <sorenson@redhat.com>
The task may be referenced after being freed. Move the
free to after the list_del_init.
Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: Ian Kent <raven@themaw.net>
---
CHANGELOG | 1 +
daemon/state.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- autofs-5.0.7.orig/CHANGELOG
+++ autofs-5.0.7/CHANGELOG
@@ -204,6 +204,7 @@
- fix use after free in open_lookup().
- fix typo in autofs_sasl_bind().
- add configuration option to use fqdn in mounts.
+- fix use-after-free in st_queue_handler().
25/07/2012 autofs-5.0.7
=======================
--- autofs-5.0.7.orig/daemon/state.c
+++ autofs-5.0.7/daemon/state.c
@@ -1179,9 +1179,9 @@ remove:
struct state_queue, pending);
list_del(&task->list);
+ list_del_init(&next->pending);
free(task);
- list_del_init(&next->pending);
list_add_tail(&next->list, head);
if (p == head)
p = head->next;