95ea96
From a099794ab890979dbd9fb567c44fcb105da229ff Mon Sep 17 00:00:00 2001
2737e7
From: Robbie Harwood <rharwood@redhat.com>
2737e7
Date: Wed, 22 Aug 2018 15:32:16 -0400
2737e7
Subject: [PATCH] Clear next field when returnining list elements in queue.c
2737e7
2737e7
The ipa-otpd code occasionally removes elements from one queue,
2737e7
inspects and modifies them, and then inserts them into
2737e7
another (possibly identical, possibly different) queue.  When the next
2737e7
pointer isn't cleared, this can result in element membership in both
2737e7
queues, leading to double frees, or even self-referential elements,
2737e7
causing infinite loops at traversal time.
2737e7
2737e7
Rather than eliminating the pattern, make it safe by clearing the next
2737e7
field any time an element enters or exits a queue.
2737e7
2737e7
Related https://pagure.io/freeipa/issue/7262
2737e7
2737e7
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2737e7
---
2737e7
 daemons/ipa-otpd/queue.c | 7 +++++++
2737e7
 1 file changed, 7 insertions(+)
2737e7
2737e7
diff --git a/daemons/ipa-otpd/queue.c b/daemons/ipa-otpd/queue.c
2737e7
index 9e29fb238d5c7a7395bcf3860ce7445c27ca98ac..2944b7ea0db6f49d0a3230b5f33c7a89281fd8c6 100644
2737e7
--- a/daemons/ipa-otpd/queue.c
2737e7
+++ b/daemons/ipa-otpd/queue.c
2737e7
@@ -111,6 +111,8 @@ void otpd_queue_push(struct otpd_queue *q, struct otpd_queue_item *item)
2737e7
         q->head = q->tail = item;
2737e7
     else
2737e7
         q->tail = q->tail->next = item;
2737e7
+
2737e7
+    item->next = NULL;
2737e7
 }
2737e7
 
2737e7
 void otpd_queue_push_head(struct otpd_queue *q, struct otpd_queue_item *item)
2737e7
@@ -118,6 +120,8 @@ void otpd_queue_push_head(struct otpd_queue *q, struct otpd_queue_item *item)
2737e7
     if (item == NULL)
2737e7
         return;
2737e7
 
2737e7
+    item->next = NULL;
2737e7
+
2737e7
     if (q->head == NULL)
2737e7
         q->tail = q->head = item;
2737e7
     else {
2737e7
@@ -145,6 +149,8 @@ struct otpd_queue_item *otpd_queue_pop(struct otpd_queue *q)
2737e7
     if (q->head == NULL)
2737e7
         q->tail = NULL;
2737e7
 
2737e7
+    if (item != NULL)
2737e7
+        item->next = NULL;
2737e7
     return item;
2737e7
 }
2737e7
 
2737e7
@@ -160,6 +166,7 @@ struct otpd_queue_item *otpd_queue_pop_msgid(struct otpd_queue *q, int msgid)
2737e7
             *prev = item->next;
2737e7
             if (q->head == NULL)
2737e7
                 q->tail = NULL;
2737e7
+            item->next = NULL;
2737e7
             return item;
2737e7
         }
2737e7
     }
2737e7
-- 
2737e7
2.17.1
2737e7