URL: https://github.com/freeipa/freeipa/pull/2283
Author: frozencemetery
Title: #2283: Clear next field when returnining list elements in queue.c
Action: opened
PR body:
"""
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.
Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2283/head:pr2283
git checkout pr2283
From ebf6b030267a117db9105832cf7b312bdc3d78aa Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Wed, 22 Aug 2018 15:32:16 -0400
Subject: [PATCH] Clear next field when returnining list elements in queue.c
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.
Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
---
daemons/ipa-otpd/queue.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/daemons/ipa-otpd/queue.c b/daemons/ipa-otpd/queue.c
index 9e29fb238d..28a1f82d83 100644
--- a/daemons/ipa-otpd/queue.c
+++ b/daemons/ipa-otpd/queue.c
@@ -111,6 +111,8 @@ void otpd_queue_push(struct otpd_queue *q, struct otpd_queue_item *item)
q->head = q->tail = item;
else
q->tail = q->tail->next = item;
+
+ item->next = NULL;
}
void otpd_queue_push_head(struct otpd_queue *q, struct otpd_queue_item *item)
@@ -145,6 +147,8 @@ struct otpd_queue_item *otpd_queue_pop(struct otpd_queue *q)
if (q->head == NULL)
q->tail = NULL;
+ if (item != NULL)
+ item->next = NULL;
return item;
}
@@ -160,6 +164,7 @@ struct otpd_queue_item *otpd_queue_pop_msgid(struct otpd_queue *q, int msgid)
*prev = item->next;
if (q->head == NULL)
q->tail = NULL;
+ item->next = NULL;
return item;
}
}
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/H5QV3BTBKVKB7HARQMIWISUVPJBFU4ZS/
