diff options
author | Linus Nordberg <linus@nordberg.se> | 2015-01-16 16:33:29 +0100 |
---|---|---|
committer | Linus Nordberg <linus@nordberg.se> | 2015-01-16 16:33:29 +0100 |
commit | 0c7f02c751405864266b78f0e358bbc28609e3ba (patch) | |
tree | 956148095813456d2ea8ce30b53f0bab029ae342 | |
parent | 0a1fa90d723d085bc869bc423619e1a8ee421fd0 (diff) |
Fix use-after-free in _internal_removeserversubrealms().
Patch by Stephen Röttger.
-rw-r--r-- | radsecproxy.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/radsecproxy.c b/radsecproxy.c index a074ec2..505afd0 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -777,6 +777,7 @@ int hasdynamicserver(struct list *srvconfs) { void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *srv) { struct list_node *entry, *entry2; struct realm *realm; + struct list *srvconfs; for (entry = list_first(realmlist); entry;) { realm = newrealmref((struct realm *)entry->data); @@ -784,16 +785,18 @@ void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *s entry = list_next(entry); if (realm->srvconfs) { + srvconfs = realm->srvconfs; for (entry2 = list_first(realm->srvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); - list_removedata(realm->srvconfs, srv); + list_removedata(srvconfs, srv); } if (realm->accsrvconfs) { + srvconfs = realm->accsrvconfs; for (entry2 = list_first(realm->accsrvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); - list_removedata(realm->accsrvconfs, srv); + list_removedata(srvconfs, srv); } /* remove subrealm if no dynamic servers left */ |