rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0037-Clear-next-field-when-returnining-list-elements-in-q.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   c7-alt
  2.   SOURCES
  3.   0037-Clear-next-field-when-returnining-list-elements-in-q.patch
Blob History Raw
f65af0 
From a099794ab890979dbd9fb567c44fcb105da229ff Mon Sep 17 00:00:00 2001
979ee0 
From: Robbie Harwood <rharwood@redhat.com>
979ee0 
Date: Wed, 22 Aug 2018 15:32:16 -0400
979ee0 
Subject: [PATCH] Clear next field when returnining list elements in queue.c
979ee0
979ee0 
The ipa-otpd code occasionally removes elements from one queue,
979ee0 
inspects and modifies them, and then inserts them into
979ee0 
another (possibly identical, possibly different) queue.  When the next
979ee0 
pointer isn't cleared, this can result in element membership in both
979ee0 
queues, leading to double frees, or even self-referential elements,
979ee0 
causing infinite loops at traversal time.
979ee0
979ee0 
Rather than eliminating the pattern, make it safe by clearing the next
979ee0 
field any time an element enters or exits a queue.
979ee0
979ee0 
Related https://pagure.io/freeipa/issue/7262
979ee0
979ee0 
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
979ee0 
---
979ee0 
 daemons/ipa-otpd/queue.c | 7 +++++++
979ee0 
 1 file changed, 7 insertions(+)
979ee0
979ee0 
diff --git a/daemons/ipa-otpd/queue.c b/daemons/ipa-otpd/queue.c
979ee0 
index 9e29fb238d5c7a7395bcf3860ce7445c27ca98ac..2944b7ea0db6f49d0a3230b5f33c7a89281fd8c6 100644
979ee0 
--- a/daemons/ipa-otpd/queue.c
979ee0 
+++ b/daemons/ipa-otpd/queue.c
979ee0 
@@ -111,6 +111,8 @@ void otpd_queue_push(struct otpd_queue *q, struct otpd_queue_item *item)
979ee0 
         q->head = q->tail = item;
979ee0 
     else
979ee0 
         q->tail = q->tail->next = item;
979ee0 
+
979ee0 
+    item->next = NULL;
979ee0 
 }
979ee0
979ee0 
 void otpd_queue_push_head(struct otpd_queue *q, struct otpd_queue_item *item)
979ee0 
@@ -118,6 +120,8 @@ void otpd_queue_push_head(struct otpd_queue *q, struct otpd_queue_item *item)
979ee0 
     if (item == NULL)
979ee0 
         return;
979ee0
979ee0 
+    item->next = NULL;
979ee0 
+
979ee0 
     if (q->head == NULL)
979ee0 
         q->tail = q->head = item;
979ee0 
     else {
979ee0 
@@ -145,6 +149,8 @@ struct otpd_queue_item *otpd_queue_pop(struct otpd_queue *q)
979ee0 
     if (q->head == NULL)
979ee0 
         q->tail = NULL;
979ee0
979ee0 
+    if (item != NULL)
979ee0 
+        item->next = NULL;
979ee0 
     return item;
979ee0 
 }
979ee0
979ee0 
@@ -160,6 +166,7 @@ struct otpd_queue_item *otpd_queue_pop_msgid(struct otpd_queue *q, int msgid)
979ee0 
             *prev = item->next;
979ee0 
             if (q->head == NULL)
979ee0 
                 q->tail = NULL;
979ee0 
+            item->next = NULL;
979ee0 
             return item;
979ee0 
         }
979ee0 
     }
979ee0 
--
979ee0 
2.17.1
979ee0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation