Re: [net 1/1] tipc: fix use-after-free in tipc_nametbl_stop

From: Jon Maloy Date: Tue, 17 Apr 2018 21:25:42 +0200 > When we delete a service item in tipc_nametbl_stop() we loop over > all service ranges in the service's RB tree, and for each service > range we loop over its pertaining publications while calling >

[net 1/1] tipc: fix use-after-free in tipc_nametbl_stop

When we delete a service item in tipc_nametbl_stop() we loop over all service ranges in the service's RB tree, and for each service range we loop over its pertaining publications while calling tipc_service_remove_publ() for each of them. However, tipc_service_remove_publ() has the side effect