From: Jon Maloy <[email protected]> Date: Tue, 17 Apr 2018 21:25:42 +0200
> When we delete a service item in tipc_nametbl_stop() we loop over > all service ranges in the service's RB tree, and for each service > range we loop over its pertaining publications while calling > tipc_service_remove_publ() for each of them. > > However, tipc_service_remove_publ() has the side effect that it also > removes the comprising service range item when there are no publications > left. This leads to a "use-after-free" access when the inner loop > continues to the next iteration, since the range item holding the list > we are looping no longer exists. > > We fix this by moving the delete of the service range item outside > the said function. Instead, we now let the two functions calling it > test if the list is empty and perform the removal when that is the > case. > > Reported-by: [email protected] > Signed-off-by: Jon Maloy <[email protected]> Applied. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ tipc-discussion mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tipc-discussion
