rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0037-Clear-next-field-when-returnining-list-elements-in-q.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   a2f1a92f1934e8c103bb88ef0828da879ba2bb97
  2.   SOURCES
  3.   0037-Clear-next-field-when-returnining-list-elements-in-q.patch
Blob History Raw
95ea96 
From a099794ab890979dbd9fb567c44fcb105da229ff Mon Sep 17 00:00:00 2001
2737e7 
From: Robbie Harwood <rharwood@redhat.com>
2737e7 
Date: Wed, 22 Aug 2018 15:32:16 -0400
2737e7 
Subject: [PATCH] Clear next field when returnining list elements in queue.c
2737e7
2737e7 
The ipa-otpd code occasionally removes elements from one queue,
2737e7 
inspects and modifies them, and then inserts them into
2737e7 
another (possibly identical, possibly different) queue.  When the next
2737e7 
pointer isn't cleared, this can result in element membership in both
2737e7 
queues, leading to double frees, or even self-referential elements,
2737e7 
causing infinite loops at traversal time.
2737e7
2737e7 
Rather than eliminating the pattern, make it safe by clearing the next
2737e7 
field any time an element enters or exits a queue.
2737e7
2737e7 
Related https://pagure.io/freeipa/issue/7262
2737e7
2737e7 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2737e7 
---
2737e7 
 daemons/ipa-otpd/queue.c | 7 +++++++
2737e7 
 1 file changed, 7 insertions(+)
2737e7
2737e7 
diff --git a/daemons/ipa-otpd/queue.c b/daemons/ipa-otpd/queue.c
2737e7 
index 9e29fb238d5c7a7395bcf3860ce7445c27ca98ac..2944b7ea0db6f49d0a3230b5f33c7a89281fd8c6 100644
2737e7 
--- a/daemons/ipa-otpd/queue.c
2737e7 
+++ b/daemons/ipa-otpd/queue.c
2737e7 
@@ -111,6 +111,8 @@ void otpd_queue_push(struct otpd_queue *q, struct otpd_queue_item *item)
2737e7 
         q->head = q->tail = item;
2737e7 
     else
2737e7 
         q->tail = q->tail->next = item;
2737e7 
+
2737e7 
+    item->next = NULL;
2737e7 
 }
2737e7
2737e7 
 void otpd_queue_push_head(struct otpd_queue *q, struct otpd_queue_item *item)
2737e7 
@@ -118,6 +120,8 @@ void otpd_queue_push_head(struct otpd_queue *q, struct otpd_queue_item *item)
2737e7 
     if (item == NULL)
2737e7 
         return;
2737e7
2737e7 
+    item->next = NULL;
2737e7 
+
2737e7 
     if (q->head == NULL)
2737e7 
         q->tail = q->head = item;
2737e7 
     else {
2737e7 
@@ -145,6 +149,8 @@ struct otpd_queue_item *otpd_queue_pop(struct otpd_queue *q)
2737e7 
     if (q->head == NULL)
2737e7 
         q->tail = NULL;
2737e7
2737e7 
+    if (item != NULL)
2737e7 
+        item->next = NULL;
2737e7 
     return item;
2737e7 
 }
2737e7
2737e7 
@@ -160,6 +166,7 @@ struct otpd_queue_item *otpd_queue_pop_msgid(struct otpd_queue *q, int msgid)
2737e7 
             *prev = item->next;
2737e7 
             if (q->head == NULL)
2737e7 
                 q->tail = NULL;
2737e7 
+            item->next = NULL;
2737e7 
             return item;
2737e7 
         }
2737e7 
     }
2737e7 
--
2737e7 
2.17.1
2737e7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation